CVE-2026-44604 Red Hat CVE debrief

Who should care

System administrators managing RPM-based Linux distributions, security teams monitoring package management infrastructure, developers implementing automated archive processing pipelines, and organizations using RPM tools for software distribution or build processes.

Technical summary

The rpmuncompress utility in RPM package manager fails to sanitize top-level folder names from ZIP, 7z, and GEM archives when constructing shell commands for extraction to a destination directory. An attacker can craft an archive with shell metacharacters embedded in the folder name to achieve arbitrary command execution. The vulnerability is classified as CWE-78 (OS Command Injection) with CVSS 3.1 score of 7.0 (HIGH). Attack requires local access and user interaction to process the malicious archive, with high attack complexity limiting exploitation scenarios.

Defensive priority

HIGH

Recommended defensive actions

• Audit systems for RPM package manager installations and identify use of rpmuncompress utility
• Review extraction workflows involving ZIP, 7z, or GEM archives to identify automated or user-triggered processing
• Implement input validation for archive file names before extraction operations
• Apply principle of least privilege to processes performing archive extraction
• Monitor for security advisories from Red Hat regarding patch availability for this CVE
• Consider sandboxing or containerization for archive extraction operations pending vendor fix

Evidence notes

Vulnerability disclosed via NVD on 2026-05-28 with vendor references to Red Hat Security and Bugzilla. CWE-78 (OS Command Injection) classified as primary weakness. Awaiting analysis status per NVD. Vendor attribution to Red Hat indicated through reference domain analysis with low confidence requiring review.

Official resources