CVE-2026-37531

CVE-2026-37531 is a Zip Slip path traversal vulnerability (CWE-22) combined with a time-of-check-to-time-of-use (TOCTOU) race condition (CWE-367) affecting AGL app-framework-main versions through 17.1.12. The issue resides in the widget installation flow, where the is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but only blocks absolute paths, failing to check for dot notation directory traversal sequences like "../". The zread extraction function then uses openat(workdirfd, filename, O_CREAT), which resolves these relative to the working directory and permits writing files anywhere on the filesystem. Critically, in the install_widget function of wgtpkg-install.c, extraction occurs before signature verification via check_all_signatures; if verification fails, the cleanup routine (remove_workdir) only removes files from the temporary working directory, leaving traversed files in place permanently.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely by unauthenticated attackers with low complexity and no user interaction required. An attacker can craft a malicious widget ZIP package containing traversal payloads in filenames and deliver it for installation via the app framework. During extraction, files are written to arbitrary locations before any signature checks, enabling full filesystem compromise including high confidentiality, integrity, and availability impacts such as overwriting critical system files, planting malware, or exfiltrating data.

References include the AGL app-framework-main source repository on Gerrit for potential patches and a GitHub Gist disclosure detailing the vulnerability. No specific mitigation guidance is provided in the available details, so practitioners should review the source code and disclosure for updates or workarounds, such as validating filenames more rigorously or deferring extraction until after signature verification.