CVE-2026-1386— Arbitrary Host File Overwrite via Symlink in Firecracker Jailer
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-1386
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Arbitrary Host File Overwrite via Symlink in Firecracker Jailer
Source: NVD (National Vulnerability Database)
Vulnerability Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-61
Source: NVD (National Vulnerability Database)
Vulnerability Title
firecracker 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
firecracker是firecracker-microvm开源的一个用于无服务器计算的微型虚拟机。 firecracker v1.13.1及之前版本和1.14.0版本存在安全漏洞,该漏洞源于jailer组件存在UNIX符号链接跟随问题,可能导致本地主机用户覆盖任意主机文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| AWS | Firecracker | - | - |
II. Public POCs for CVE-2026-1386
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-1386
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: AWS
- CVE-2026-7461
OS Command Injection in Amazon ECS Agent via FSx Windows Fil - CVE-2026-7426
Out-of-Bounds Write via Unsanitized Prefix Length in Router - CVE-2026-7425
Out-of-Bounds Read in Router Advertisement Option Parser in - CVE-2026-7424
Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Pl - CVE-2026-7423
Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-
Same weakness: CWE-61
- CVE-2026-29203
cPanel 安全漏洞 - CVE-2026-42275
zrok: WebDAV drive backend follows symlinks outside DriveRoo - CVE-2026-31893
Tunnelblick arbitrary file read via symlink following in tun - CVE-2026-7832
IObit Advanced SystemCare Service ASC.exe symlink - CVE-2026-43570
OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote
V. Comments for CVE-2026-1386
No comments yet