The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cq3j-qj2h-6rv3 Container and Containerization archive extraction does not guard against escapes from extraction base directory.
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3 cve-icon cve-icon
History

Fri, 23 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0.
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-01-22T23:58:20.556Z

Reserved: 2025-11-11T14:43:07.858Z

Link: CVE-2026-20613

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-01-23T00:15:52.283

Modified: 2026-01-23T00:15:52.283

Link: CVE-2026-20613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.