Zero Day MonitorZDM

← Back to list

—

CVE-2026-40556PATCHED

gnu · nano

Insecure Directory Permissions in GNU nano Leading to Privilege Abuse

Description

GNU nano creates the user’s ~/.local directory with overly permissive permissions when the directory does not exist yet. On first use of features requiring Cross-Desktop Group (XDG) data storage, nano explicitly requests directory mode 0777, making the directory world‑writable in environments where the process umask does not sufficiently restrict permissions. In systems with a relaxed or zero umask, such as container environments, CI/CD runners, embedded systems, or user shells configured with umask 000, this results in ~/.local being created as world‑writable. A local attacker can exploit a race window between nano’s creation of ~/.local and its subsequent creation of more restrictive subdirectories to write attacker‑controlled files into the victim’s XDG directory hierarchy. This problem was fixed in nano version 9.0

Affected Products

Vendor	Product	Versions
gnu	nano	2.9.1, 8.x

References

https://cert.pl/en/posts/2026/04/CVE-2026-40556/(third-party-advisory)
https://www.nano-editor.org/(product)
https://cgit.git.savannah.gnu.org/cgit/nano.git/commit/?id=cb43493e(patch)

Related News (2 articles)

Tier A

Microsoft MSRC48d ago

CVE-2026-40556 Insecure Directory Permissions in GNU nano Leading to Privilege Abuse

→ No new info (linked only)

Tier C

VulDB48d ago

CVE-2026-40556 | GNU nano up to 8.x Local Directory Page ~/.local permission assignment

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.0

CWECWE-732

PublishedApr 28, 2026

Last enriched48d agov2

Tags

CVE-2026-40556

Trending Score0

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

GNU gsasl Heap Disclosure in NTLM Client Step

CRITICALCVE-2026-5450

scanf %mc off-by-one heap buffer overflow

HIGHCVE-2026-48829

CVE-2026-48829: In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known toke

NONECVE-2026-6846

Binutils: binutils: arbitrary code execution via malformed xcoff object file processing

NONECVE-2026-5958

Race Condition in GNU Sed

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Patch Available

Apr 28, 2026

Updated: affectedVersions, severity, tags

Apr 28, 2026

Version History

v2

Last enriched 48d ago

v2Tier C48d ago

Updated affected versions to include 8.x, changed severity to HIGH, and added CVE-2026-40556 tag.

affectedVersionsseveritytags

via VulDB

v148d ago

Initial creation