UNIX Symbolic Link (Symlink) Following

CVE-2026-41326

High

8.2/10

Summary

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions from 3.4.0 prior to 3.29.0, an oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-61 - UNIX Symbolic Link (Symlink) Following

The software, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.

References

Advisory Timeline

Published Apr 24, 2026

UNIX Symbolic Link (Symlink) Following

CVE-2026-41326

Summary

CWE-61 - UNIX Symbolic Link (Symlink) Following

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS