CVE-2026-1386

Name
CVE-2026-1386
Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://aws.amazon.com/security/security-bulletins/2026-003-AWS/
patch https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2
patch https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1
third-party-advisory https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc

Match rules

CPE URI Source package Min version Max version
firecracker == 1.13.2 == None
firecracker == 1.14.1 == None
cpe:2.3:a:amazon:firecracker:*:*:*:*:*:*:*:* firecracker >= None < 1.13.2
cpe:2.3:a:amazon:firecracker:1.14.0:-:*:*:*:*:*:* firecracker == None == 1.14.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
firecracker edge-community 1.14.1-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker edge-community 1.14.0-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker edge-community 1.13.1-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker edge-community 1.12.1-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker edge-community 1.12.0-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker 3.23-community 1.13.2-r0 omni <omni+alpine@hack.org> possibly vulnerable
firecracker 3.23-community 1.13.1-r0 omni <omni+alpine@hack.org> possibly vulnerable