CVE-2026-37531
9.8 CRITICALAGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-...
Published: 2026-05-01 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-22, CWE-367
Affected products
| Vendor | Product |
|---|---|
| linuxfoundation | automotive_grade_linux |
Description
AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
- CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
- CVE-2026-44374 — Backstage is an open framework for building developer portals (4.3 MEDIUM)
- CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
- CVE-2026-37530 — AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library (7.5 HIGH)
Same CWE
- CVE-2026-52726 — Dulwich is a pure-Python implementation of the Git file formats and protocols (7.5 HIGH)
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-47712 — Dulwich is a pure-Python implementation of the Git file formats and protocols (3.3 LOW)
- CVE-2026-46703 — Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (9.6 CRITICAL)
- CVE-2026-42305 — Dulwich is a pure-Python implementation of the Git file formats and protocols (8.8 HIGH)