{"id":"CVE-2026-46388","summary":"osquery: Unprivileged users can temporarily read file carve contents","details":"osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Prior to 5.23.1, an unprivileged attacker can read the contents of an osquery file carve until the carve completes and the temporary files are deleted because in-progress carve directories are not created with private permissions. If the carve targets a directory that the attacker controls, arbitrary file reads are possible, such as sensitive local files. This issue is fixed in version 5.23.1.","aliases":["GHSA-fg78-9q98-62hh"],"modified":"2026-07-15T17:34:37.039999Z","published":"2026-07-10T14:44:52.865Z","database_specific":{"cwe_ids":["CWE-279","CWE-378","CWE-379"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46388.json","unresolved_ranges":[{"extracted_events":[{"fixed":"5.23.1"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/osquery/osquery/releases/tag/5.23.1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46388.json"},{"type":"ADVISORY","url":"https://github.com/osquery/osquery/security/advisories/GHSA-fg78-9q98-62hh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46388"},{"type":"FIX","url":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"},{"type":"FIX","url":"https://github.com/osquery/osquery/pull/8961"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/osquery/osquery","events":[{"introduced":"0"},{"fixed":"6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"}],"database_specific":{"source":"REFERENCES"}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46388.json","vanir_signatures_modified":"2026-07-15T17:34:37Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68","target":{"file":"osquery/filesystem/fileops.h"},"deprecated":false,"digest":{"line_hashes":["291996126865976664111590364039308336086","28816944422254912411386447057468062795","177752019843461626907427057778492737009"],"threshold":0.9},"id":"CVE-2026-46388-248ea7bb","signature_type":"Line"},{"deprecated":false,"digest":{"line_hashes":["139311229875179795955499854066840545618","156229633867457481922570895412104420582","170288997154250313484618351826209118173","209386663089560424458393203396161800427","71694345327262585489792172450178893208","52868458185999680162443041893959759977"],"threshold":0.9},"id":"CVE-2026-46388-2b7bfaea","signature_type":"Line","signature_version":"v1","source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68","target":{"file":"osquery/carver/carver.cpp"}},{"deprecated":false,"digest":{"line_hashes":["169395819770120366250532997384644353657","322435829625643381916225310063429894411","204023032336214335968178190543891061806"],"threshold":0.9},"id":"CVE-2026-46388-57654a1a","signature_type":"Line","signature_version":"v1","source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68","target":{"file":"osquery/filesystem/posix/fileops.cpp"}},{"target":{"file":"osquery/filesystem/tests/fileops.cpp"},"deprecated":false,"digest":{"line_hashes":["18050143582258080010150957184034895561","52493561412598734443471143899947100120","335590953632274345389069603565422788375","244335441189321473006023577945152437597","297642071818061455789816822211983647960","231684248227625252655747977369085192267","132040560406320763038334423913642574086","128712088136851904452239057547502030155","133672623718812284545448958997238532070","121417604652715272811888084609870592301","108849289171562713252522948640762619057","150909274144431103075832019935814367630","17736528387901820582136519383146385999","211115230691863028773887356240258278149"],"threshold":0.9},"id":"CVE-2026-46388-c33709c7","signature_type":"Line","signature_version":"v1","source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68"},{"deprecated":false,"digest":{"function_hash":"295328686200884179568110239093891324319","length":510},"id":"CVE-2026-46388-dad5caad","signature_type":"Function","signature_version":"v1","source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68","target":{"file":"osquery/carver/carver.cpp","function":"Carver::createPaths"}},{"source":"https://github.com/osquery/osquery/commit/6dabe9ded33bf9c6fc0f3e37ec364a1cbbd25d68","target":{"file":"osquery/filesystem/windows/fileops.cpp"},"deprecated":false,"digest":{"line_hashes":["216689825834617000176396039502756715677","337898323606536369790541894482748479295","263277444845128024418441371713190281280","287724167584148740598277450586963595384","219620400296105398222761418135489240268","140897082986395230158576107484148252680","173521132732381513985961359812666275883"],"threshold":0.9},"id":"CVE-2026-46388-fab5c217","signature_type":"Line","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"}]}