Full Report
Incorrect Permission Assignment for Critical Resource vulnerability (CVE-2026-40556) has been found in nano software.
Analysis Summary
# Vulnerability: Incorrect Permission Assignment in GNU nano
## CVE Details
- **CVE ID:** CVE-2026-40556
- **CVSS Score:** Not explicitly provided in the source (Typically Medium for local permission flaws)
- **CWE:** CWE-732 (Incorrect Permission Assignment for Critical Resource)
## Affected Systems
- **Products:** GNU nano (text editor)
- **Versions:** From version 2.9.1 up to (but not including) 9.0.
- **Configurations:** Systems where the `~/.local` directory does not yet exist and where the process `umask` is relaxed (e.g., `000`). This is common in container environments, CI/CD runners, embedded systems, or specifically configured user shells.
## Vulnerability Description
GNU nano creates the user’s `~/.local` directory with overly permissive permissions if the directory is missing. When nano first uses features requiring Cross-Desktop Group (XDG) data storage, it explicitly requests directory mode `0777` (read/write/execute for everyone).
If the system's `umask` does not restrict these permissions, the directory becomes world-writable. This creates a race condition vulnerability: an attacker can exploit the window between the creation of `~/.local` and the subsequent creation of more restricted subdirectories to inject attacker-controlled files into the victim's XDG directory hierarchy.
## Exploitation
- **Status:** PoC availability or "in the wild" status not specified; documented as a discovered flaw via coordinated disclosure.
- **Complexity:** Medium (Requires timing the race condition).
- **Attack Vector:** Local (Attacker must have local shell access to the system).
## Impact
- **Confidentiality:** Low/Medium (Potential to intercept data stored in subdirectories).
- **Integrity:** High (Attacker can write files to the victim's XDG hierarchy, potentially influencing application behavior).
- **Availability:** Low (Potential for unauthorized file deletion within the affected path).
## Remediation
### Patches
- **Upgrade to GNU nano 9.0** or later, which contains the fix for this issue.
### Workarounds
- **Manual Creation:** Users on older versions can manually create the `~/.local` directory with secure permissions (`700’ or ‘755’) before running nano for the first time:
`mkdir -m 700 -p ~/.local`
- **Umask Configuration:** Ensure the system or shell `umask` is set to a secure value (e.g., `022` or `077`) to automatically restrict the `0777` request.
## Detection
- **Audit Tool:** Use `ls -ld ~/.local` to check if the directory is world-writable (`drwxrwxrwx`).
- **Indicators of Compromise:** Presence of unexpected files or directories within `~/.local` that are owned by other users or have suspicious timestamps coinciding with nano's first execution.
## References
- **Vendor Advisory:** hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-40556
- **CERT Polska Advisory:** hxxps[://]cert[.]pl/en/posts/2026/04/vulnerability-in-gnu-nano/
- **CWE Definition:** hxxps[://]cwe[.]mitre[.]org/data/definitions/732[.]html