CVE-2026-44171

Vulnerability

In MariaDB Server, the mbstream utility (used for unpacking backup archives) does not validate path components containing /../ during archive extraction. This affects versions 10.6.1 through 10.6.25, 10.11.1 through 10.11.16, 11.4.1 through 11.4.10, 11.8.1 through 11.8.6, and 12.3.1 [1][2]. While legitimate backups never contain such paths, a crafted archive can exploit this missing check.

Exploitation

An attacker must craft a malicious backup archive that includes directory traversal sequences (e.g., ../../tmp/evil.so) as file paths. If a victim uses mbstream to unpack the archive (typically as part of a restore operation), the tool will create files outside of the intended target directory without raising an error. No authentication or special privileges are required beyond producing the archive and having the victim unpack it.

Impact

Successful exploitation allows an attacker to write arbitrary files to arbitrary locations on the file system where the mbstream process has write permissions. This could lead to overwriting system files, placing malicious executables, or modifying configuration files—potentially resulting in remote code execution or privilege escalation, depending on the target path and permissions.

Mitigation

The issue is patched in MariaDB Server versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2 [1][2]. Users should upgrade to the fixed version. No workarounds are documented; avoiding the use of mbstream on untrusted archives is a general precaution.