<Vulnerability name="CVE-2026-55686">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-06-26T16:30:41</PublicDate>
    <Bugzilla id="2493624" url="https://bugzilla.redhat.com/show_bug.cgi?id=2493624" xml:lang="en:us">
github.com/containers/podman: Podman: Host filesystem modification via malicious container image WORKDIR symlink
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>5.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-59</CWE>
    <Details xml:lang="en:us" source="Mitre">
Podman is a tool for managing OCI containers and pods. From 3.0.0 until 5.7.1, running a malicious container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree during dereferencing of the WORKDIR path, to trigger a race condition. This vulnerability is fixed in 5.7.1.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Podman. A remote attacker can exploit this vulnerability by running a malicious container image where the WORKDIR (working directory) path contains a symbolic link (symlink). This can lead to the creation of a directory or modification of ownership on the host filesystem, potentially impacting system integrity.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in Podman where running a malicious container image with a WORKDIR path containing a symlink can create directories or modify ownership on the host filesystem. Exploitation requires the user to pull and run a specifically crafted malicious container image. Red Hat rates this as Moderate impact, consistent with the upstream assessment, because the attack requires a malicious image and the most severe outcome (ownership modification) requires additional help from an underprivileged user namespace.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-25T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29954">RHSA-2026:29954</Advisory>
        <Package name="podman-main">podman-main-6.0.0-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-26/eda-controller-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ansible_automation_platform:2">
        <ProductName>Red Hat Ansible Automation Platform 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>ansible-automation-platform-27/eda-controller-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>podman</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>container-tools:rhel8/podman</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>podman</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>podman</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:container_native_virtualization:4">
        <ProductName>Red Hat OpenShift Virtualization 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>container-native-virtualization/ocp-virt-validation-checkup-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:quay:3">
        <ProductName>Red Hat Quay 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>quay/quay-builder-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:quay:3">
        <ProductName>Red Hat Quay 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>quay/quay-builder-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55686
https://nvd.nist.gov/vuln/detail/CVE-2026-55686
https://github.com/podman-container-tools/podman/commit/d18e44e9abb3bf5b7294aa70806e1368fdddfdd0
https://github.com/podman-container-tools/podman/security/advisories/GHSA-q6r4-3wmg-fwcq
    </References>
</Vulnerability>