CVE-2026-41046 - qSnapper configName path traversal

CVE-2026-41046 - qSnapper configName path traversal - High - 2026-06-22

Business risk: A local attacker can point qSnapper at attacker-controlled snapper config and drive root-owned snapshot behavior.

Root cause: configName is used to select snapper configuration without strict basename validation and containment.

Affected versions

  • Vulnerable: qSnapper before 1.3.3.
  • Fixed / safe target: Upgrade qSnapper to 1.3.3+ and canonicalize configName under the snapper configuration root.
  • CVSS: 7.3 (High)

Exact vulnerable code pattern

std::string path = "/etc/snapper/configs/" + request.configName();
Snapper snapper(path);
snapper.createSnapshot();

Fixed / mitigated code pattern

std::string name = request.configName();
if (!std::regex_match(name, std::regex("^[A-Za-z0-9_.-]{1,64}$"))) {
    throw ValidationError("invalid configName");
}
auto root = std::filesystem::canonical("/etc/snapper/configs");
auto path = std::filesystem::weakly_canonical(root / name);
if (!path.string().starts_with(root.string() + "/")) {
    throw ValidationError("configName escapes snapper config root");
}

Step-by-step integration guide

  1. Upgrade qSnapper to 1.3.3+.
  2. Search for custom configName wrappers.
  3. Add tests for …/, absolute paths, symlinks, and long names.
  4. Allow-list approved snapper config names.
  5. Redeploy shared Linux hosts first.

Alternative mitigations

  • Limit qSnapper D-Bus access to administrators.
  • Remove user-controlled snapper config directories.
  • Disable qSnapper until fixed on multi-user hosts.

Detection signature

rg -n "configName|/etc/snapper/configs|Snapper\(" . /usr/share /etc

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-41046: qSnapper configName path traversal.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-41046 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, qsnapper, path-traversal, snapper, linux, enterprise_blocker, high
  • Affected tech stack: linux/system
  • Revenue tags: enterprise_blocker

References