CVE-2026-40024
Published: 08 April 2026
Summary
CVE-2026-40024 is a high-severity Path Traversal (CWE-22) vulnerability in Sleuthkit The Sleuth Kit. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cron (T1053.003); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-40024 by requiring timely patching of the path traversal flaw in The Sleuth Kit's tsk_recover as addressed in the referenced GitHub commit.
Prevents exploitation of the path traversal vulnerability by enforcing validation of filenames and directory paths extracted from filesystem images to block traversal sequences like ../.
Enables identification of systems running vulnerable versions of The Sleuth Kit through vulnerability scanning, facilitating remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file writes via crafted images processed by tsk_recover; this directly facilitates overwriting cron entries (T1053.003) or shell configs (T1546.004) for code execution as described.
NVD Description
The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem…
more
image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.
Deeper analysisAI
The Sleuth Kit through version 4.14.0 is affected by CVE-2026-40024, a path traversal vulnerability (CWE-22) in the tsk_recover component. This flaw allows an attacker to write files to arbitrary locations outside the intended recovery directory by supplying a crafted filesystem image containing filenames or directory paths with path traversal sequences, such as /../ embedded in entries. When tsk_recover processes the image, it fails to properly sanitize these sequences, enabling unintended file writes.
Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), as scored at CVSS 7.1 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). A local attacker can craft a malicious filesystem image and trick a user—such as a forensic analyst—into running tsk_recover on it with a specified output directory. Successful exploitation allows writing files outside that directory, potentially overwriting critical files like shell configurations or cron entries to achieve code execution, with high impacts on confidentiality and integrity but no availability disruption.
Mitigation is addressed in a Sleuth Kit GitHub commit (a3f96b3bc36a8bb1a00c297f77110d4a6e7dd31b), which patches the path traversal issue. Additional details are available in advisories from VulnCheck (vulncheck.com/advisories/sleuth-kit-tsk-recover-path-traversal) and Mobasi (mobasi.ai/sentinel). Security practitioners should update to a patched version of The Sleuth Kit and avoid processing untrusted filesystem images with tsk_recover.
Details
- CWE(s)