Cyber Resilience

CVE-2026-24049

HighPublic PoCLPE

Published: 22 January 2026

Published
22 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0001 3.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24049 is a high-severity Path Traversal (CWE-22) vulnerability in Wheel Project Wheel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-24049 affects the wheel command line tool for manipulating Python wheel files as defined in PEP 427. In versions 0.40.0 through 0.46.2, the unpack function mishandles file permissions after extraction by blindly trusting the filename from the archive header during the chmod operation, even if the extraction process has sanitized the path. This vulnerability, associated with CWE-22 (path traversal) and CWE-732 (incorrect permission assignment), has a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H).

A local attacker with no privileges can exploit this by crafting a malicious wheel file that, when unpacked by a user, modifies permissions on critical system files such as /etc/passwd, SSH keys, or configuration files. This enables privilege escalation or arbitrary code execution by making scripts writable and executable, requiring user interaction to trigger the unpack operation.

The issue has been addressed in wheel version 0.46.2, as detailed in the project's security advisory (GHSA-8rrh-rw8j-w5fx), release notes, and the fixing commit (7a7d2de96b22a9adf9208afcc9547e1001569fef). Security practitioners should upgrade to 0.46.2 or later and audit wheel usage in Python environments to prevent unpacking untrusted wheel files.

EU & UK References

Vulnerability details

wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly…

more

trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1222.002 Linux and Mac Permissions Defense Impairment
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Why these techniques?

Vulnerability directly enables unauthorized chmod on critical files (e.g. /etc/passwd) via malicious wheel unpack, mapping to permission modification (T1222.002) and resulting privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43243Shared CWE-732
CVE-2025-27688Shared CWE-732
CVE-2026-35341Shared CWE-732
CVE-2026-8110Shared CWE-732
CVE-2026-35338Shared CWE-22
CVE-2026-25112Shared CWE-732
CVE-2026-22768Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2026-33747Shared CWE-22
CVE-2025-54307Shared CWE-22

Affected Assets

wheel project
wheel
0.40.0 — 0.46.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation and sanitization of untrusted filenames and permission metadata extracted from wheel archives before any chmod operation.

prevent

Ensures the wheel unpack process runs with only the minimum privileges required, preventing modification of permissions on critical system files even if path data is trusted.

prevent

Restricts the ability to change file permissions or ownership on protected system paths, blocking the chmod abuse that results from the flawed unpack logic.

References