Medium severity5.3NVD Advisory· Published Apr 27, 2026· Updated Apr 29, 2026

CVE-2026-7179

Description

A security vulnerability has been detected in OSPG binwalk up to 2.4.3. This vulnerability affects the function read_null_terminated_string of the file src/binwalk/plugins/winceextract.py of the component WinCE Extraction Plugin. Such manipulation of the argument self.file_name leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The project maintainer confirms this issue: "I accept the existence of the Path Traversal vulnerability. However, as stated in the Github link, it reached EOL and as a result no actions should be expected." The GitHub repository mentions, that "[u]sers and contributors should migrate to binwalk v3." This vulnerability only affects products that are no longer supported by the maintainer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in binwalk's WinCE extraction plugin allows local attackers to write arbitrary files, potentially leading to remote code execution on unsupported versions.

Vulnerability

Overview

A path traversal vulnerability exists in the read_null_terminated_string function within the WinCE extraction plugin (winceextract.py) of OSPG binwalk versions up to 2.4.3. The flaw allows an attacker to manipulate the self.file_name argument, enabling arbitrary file writes outside the intended extraction directory. This issue is classified as CWE-22 and is distinct from a previously fixed path traversal in unpfs.py (CVE-2022-4510) [1].

Exploitation

Conditions

The attack requires local access to the system and can be triggered when a user extracts a specially crafted WinCE ROM firmware image using the affected binwalk version. No authentication is needed beyond local file access, and the exploit has been publicly disclosed [1].

Impact

Successful exploitation permits arbitrary file write, which can be escalated to remote code execution (RCE) by planting a malicious binwalk plugin that executes on subsequent runs. The CVSS v3.1 score is 7.8 (High) under the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1].

Mitigation

Status

The maintainer has acknowledged the vulnerability but stated that the affected Python-based binwalk repository reached end-of-life (EOL) in November 2024 and will not receive patches. Users are advised to migrate to the Rust-based binwalk v3, which is actively maintained [1]. No security updates are planned for the vulnerable versions.

References

Open-Source-Vulnerabilities/binwalk_path_traversal.md at main · dhabaleshwar/Open-Source-Vulnerabilities

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

OSPG/binwalkllm-create
Range: <=2.4.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000