{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20613", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-11-11T14:43:07.858Z", "datePublished": "2026-01-22T23:58:20.556Z", "dateUpdated": "2026-01-23T14:56:14.929Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames."}]}], "affected": [{"vendor": "Apple", "product": "Container", "versions": [{"version": "unspecified", "status": "affected", "lessThan": "0.7.1", "versionType": "custom"}]}, {"vendor": "Apple", "product": "Containerization", "versions": [{"version": "unspecified", "status": "affected", "lessThan": "0.20.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0."}], "references": [{"url": "https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-01-22T23:58:20.556Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T14:56:08.027445Z", "id": "CVE-2026-20613", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T14:56:14.929Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-20613", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T14:56:08.027445Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T14:53:34.718Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Container", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.7.1", "versionType": "custom"}]}, {"vendor": "Apple", "product": "Containerization", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "0.20.1", "versionType": "custom"}]}], "references": [{"url": "https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3"}], "descriptions": [{"lang": "en", "value": "The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames."}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-01-22T23:58:20.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20613", "state": "PUBLISHED", "dateUpdated": "2026-01-23T14:56:14.929Z", "dateReserved": "2025-11-11T14:43:07.858Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2026-01-22T23:58:20.556Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:container:*:*:*:*:*:swift:*:*", "matchCriteriaId": "C6FA03D6-D8FD-484D-ABC3-C4E06F004E9B", "versionEndExcluding": "0.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:containerization:*:*:*:*:*:swift:*:*", "matchCriteriaId": "1FE4C5FD-62B9-4CCC-90EA-065CDF156FFD", "versionEndExcluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0."}], "id": "CVE-2026-20613", "lastModified": "2026-01-27T20:17:18.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T00:15:52.283", "references": [{"source": "product-security@apple.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:29:03.295585+00:00", "value": {"mitigation_remediation": ["Upgrade Apple Container to version\u00a00.8.0\u00a0or later.", "Upgrade Apple Containerization to version\u00a00.21.0\u00a0or later.", "Ensure that only trusted images are loaded and restrict the execution of cctl image load to users with minimal privileges."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write via Unvalidated Pathnames"}, "threat_synthesis": {"affected_systems": "Apple Container and Apple Containerization products are affected. The fix was released in version 0.8.0 of Apple Container and version 0.21.0 of Apple Containerization. All earlier releases remain vulnerable.\n", "description_and_impact": "ArchiveReader.extractContents() is used by cctl image load and container image load to unpack archives. The function performs no pathname validation before extracting an archive member, allowing a maliciously constructed archive to write a file to any user\u2011writable location on the system via relative pathnames. This results in an arbitrary file write vulnerability, classified as CWE\u201122. The impact is the potential modification or insertion of files on the host filesystem, which can compromise confidentiality, integrity, or availability of the system.\n", "risk_and_exploitability": "The CVSS base score is 7.8, indicating a high level of severity. The EPSS score is reported as less than\u00a01%, suggesting a very low probability of exploitation at the time of this assessment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, where an adversary with access to run cctl image load can supply a crafted archive. No remote exploitation path is detailed in the provided data, but the vulnerability would still allow an attacker to overwrite arbitrary files if the image load process is executed with elevated or write\u2011capable privileges."}}}}, "created": "2026-01-23T10:26:41.253563+00:00", "updated": "2026-04-18T03:30:25.915199+00:00", "vendors": ["apple", "apple$PRODUCT$container", "apple$PRODUCT$containerization"]}