PatchSiren cyber security CVE debrief

CVE-2026-37531 Linuxfoundation CVE debrief

CVE-2026-37531 describes a critical vulnerability in Automotive Grade Linux app-framework-main through 17.1.12. The widget installation flow can extract ZIP entries before signature verification, and the filename validation only blocks absolute paths rather than dot-dot traversal sequences. As a result, crafted widget archives may write files outside the intended work directory, and those files can persist even if signature verification later fails.

Vendor: Linuxfoundation
Product: Unknown
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-01
Original CVE updated: 2026-05-18
Advisory published: 2026-05-01
Advisory updated: 2026-05-18

Who should care

Automotive Grade Linux maintainers, OEMs, device integrators, and any operators who accept or process widget packages from untrusted or partially trusted sources should treat this as urgent. Systems using vulnerable app-framework-main releases through 17.1.12 are in scope.

Technical summary

NVD describes a Zip Slip path traversal issue combined with a TOCTOU race condition in the widget installation flow. The is_valid_filename logic in wgtpkg-zip.c checks for absolute paths but does not reject dot notation traversal sequences. During extraction, zread uses openat(workdirfd, filename, O_CREAT), which can resolve traversal-bearing names relative to the work directory and allow writes outside the intended extraction area. In install_widget in wgtpkg-install.c, extraction occurs before check_all_signatures, so signature validation happens too late to prevent the write. The cleanup path remove_workdir only removes the temporary work directory, leaving any files written elsewhere on the filesystem in place.

Defensive priority

Critical and urgent. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-reachable impact with no privileges or user interaction required and high potential confidentiality, integrity, and availability impact.

Recommended defensive actions

Upgrade or replace vulnerable app-framework-main versions at or below 17.1.12 with a fixed release as soon as one is available.
Reorder widget processing so signature verification happens before any archive extraction or file creation.
Reject traversal sequences such as dot-dot path components and normalize paths before any filesystem write.
Constrain extraction to a dedicated sandbox or chroot-like boundary, and enforce path checks after canonicalization.
Audit cleanup logic so failed installations cannot leave files outside the intended work directory.
Review any widget ingestion pipelines, update services, or OTA workflows for exposure to untrusted archives.
Search for suspicious files created outside expected widget work directories and investigate any unexpected filesystem writes.

Evidence notes

This debrief is based on the supplied CVE description and NVD metadata. The vulnerable range is given by the NVD CPE criteria as Automotive Grade Linux through 17.1.12. The weakness classifications listed in the record are CWE-22 and CWE-367. The record also includes a broken Gerrit reference and a third-party advisory link.

Official resources

CVE-2026-37531 CVE record
CVE.org
CVE-2026-37531 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Broken Link
Mitigation or vendor reference
[email protected] - Third Party Advisory

Publicly disclosed in the CVE record on 2026-05-01; the NVD record was modified on 2026-05-18.