CVE-2026-41046 - qSnapper configName path traversal
CVE-2026-41046 - qSnapper configName path traversal - High - 2026-06-22
Business risk: A local attacker can point qSnapper at attacker-controlled snapper config and drive root-owned snapshot behavior.
Root cause: configName is used to select snapper configuration without strict basename validation and containment.
Affected versions
- Vulnerable: qSnapper before 1.3.3.
- Fixed / safe target: Upgrade qSnapper to 1.3.3+ and canonicalize configName under the snapper configuration root.
- CVSS: 7.3 (High)
Exact vulnerable code pattern
std::string path = "/etc/snapper/configs/" + request.configName();
Snapper snapper(path);
snapper.createSnapshot();
Fixed / mitigated code pattern
std::string name = request.configName();
if (!std::regex_match(name, std::regex("^[A-Za-z0-9_.-]{1,64}$"))) {
throw ValidationError("invalid configName");
}
auto root = std::filesystem::canonical("/etc/snapper/configs");
auto path = std::filesystem::weakly_canonical(root / name);
if (!path.string().starts_with(root.string() + "/")) {
throw ValidationError("configName escapes snapper config root");
}
Step-by-step integration guide
- Upgrade qSnapper to 1.3.3+.
- Search for custom configName wrappers.
- Add tests for …/, absolute paths, symlinks, and long names.
- Allow-list approved snapper config names.
- Redeploy shared Linux hosts first.
Alternative mitigations
- Limit qSnapper D-Bus access to administrators.
- Remove user-controlled snapper config directories.
- Disable qSnapper until fixed on multi-user hosts.
Detection signature
rg -n "configName|/etc/snapper/configs|Snapper\(" . /usr/share /etc
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-41046: qSnapper configName path traversal.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-41046 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, qsnapper, path-traversal, snapper, linux, enterprise_blocker, high
- Affected tech stack: linux/system
- Revenue tags: enterprise_blocker