Path Traversal in File Handler
Attacker-controlled filename input reaches fopen and unlink calls without canonicalization or directory confinement.
- CVE
- CVE-2026-6822, CVE-2026-6259
- Vendor
- Inhand Networks
- Product
- 5G Modem
Executive Summary
One high-severity vulnerability was confirmed in the analyzed binary The issue is a CWE-22 path traversal in sub_40fa90, where attacker-controlled input reaches filesystem APIs without normalization or confinement checks. Exploitation is remotely reachable via network input.
Binary Profile
- Security Flags: PIE: absent, NX: absent, stack_canary: absent, RELRO: absent
- Risk Level: High
Findings
1. Unsanitized User Path Reaching File APIs (Path Traversal) — High
- Function:
sub_40fa90@0x40fa90 - CWE: CWE-22 — Path Traversal
- Category: other
- Reachability: reachable_from_network
Description
The handler reads attacker-controlled filename from webcgi_get("filename") and uses it directly in file-operation sinks. The value flows into fopen and multiple unlink calls without realpath-style canonicalization or root-directory confinement checks. This allows traversal inputs (for example ../../...) or absolute paths to access or delete unintended files. Because the input is network-reachable, this creates a high-risk arbitrary file access/deletion condition.
Taint Chain
webcgi_get("filename") @ 0x40faec
→ filename#2 assigned from web input
→ $s1_1 propagated into branch-specific sink arguments
→ fopen @ 0x410068 (also 0x410380) and unlink @ 0x40fe88 (also 0x40fe4c/0x40fd98/0x410278/0x4104d4)
Mitigations
- Present: none
- Absent: stack_canary, PIE, NX, RELRO, path_canonicalization, path_confinement_check