Vulnerability DatabaseCVE-2026-40024

CVE-2026-40024:
CBL Mariner vulnerability analysis and mitigation

The Sleuth Kit through 4.14.0 contains a path traversal vulnerability in tsk_recover that allows an attacker to write files to arbitrary locations outside the intended recovery directory via crafted filenames or directory paths with path traversal sequences in a filesystem image. An attacker can craft a malicious filesystem image with embedded /../ sequences in filenames that, when processed by tsk_recover, writes files outside the output directory, potentially achieving code execution by overwriting shell configuration or cron entries.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

8.4

Score

Published April 8, 2026

Severity HIGH

CNA Score 8.4

Affected Technologies

CBL Mariner
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 8

Exploitation Probability (EPSS) N/A

Affected packages and libraries

sleuthkit

Sources

NVD
CBL-Mariner
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: Apr 15, 2026
Debian Security Tracker
- Debian 11, 12, 13 Severity MEDIUMNo FixAdded at: Apr 09, 2026
- Debian 14 Severity HIGHNo FixAdded at: Apr 09, 2026
Echo
- Echo Severity HIGHNo FixAdded at: Apr 09, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related CBL Mariner vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-40024	HIGH	8.4	CBL Mariner	sleuthkit	No	Yes	Apr 08, 2026
CVE-2026-35535	HIGH	7.4	CBL Mariner	seal-sudo	No	Yes	Apr 03, 2026
CVE-2026-31394	MEDIUM	5.5	Linux Kernel	kernel-zfcpdump-modules-core	No	Yes	Apr 03, 2026
CVE-2026-40026	MEDIUM	4.8	CBL Mariner	sleuthkit	No	Yes	Apr 08, 2026
CVE-2026-40025	MEDIUM	4.8	CBL Mariner	sleuthkit	No	Yes	Apr 08, 2026