CVE-2021-40153
8.1 HIGHsquashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to cre...
Published: 2021-08-27 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, enterprise_linux, fedora |
| fedoraproject | debian_linux, enterprise_linux, fedora |
| redhat | debian_linux, enterprise_linux, fedora |
| squashfs-tools_project | debian_linux, enterprise_linux, fedora |
Description
squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is then used by unsquashfs to create the new file during the unsquash. The filename is not validated for traversal outside of the destination directory, and thus allows writing to locations outside of the destination.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-40153
- [Other]https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790
- [Patch]https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646
- [Exploit reference]https://github.com/plougher/squashfs-tools/issues/72
- [Other]https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
- [Other]https://security.gentoo.org/glsa/202305-29
- [Other]https://www.debian.org/security/2021/dsa-4967
- [Other]https://bugs.launchpad.net/ubuntu/+source/squashfs-tools/+bug/1941790
- [Patch]https://github.com/plougher/squashfs-tools/commit/79b5a555058eef4e1e7ff220c344d39f8cd09646
- [Exploit reference]https://github.com/plougher/squashfs-tools/issues/72
- [Other]https://lists.debian.org/debian-lts-announce/2021/08/msg00030.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSMRKVJMJFX3MB7D3PXJSYY3TLZROE5S/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAOZ4BKWAC4Y3U2K5MMW3S77HWWXHQDL/
- [Other]https://security.gentoo.org/glsa/202305-29
- [Other]https://www.debian.org/security/2021/dsa-4967
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
- CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
- CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
- CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
- CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)