Main Vulnerability Database SB2026010716

SB2026010716 - Red Hat Enterprise Linux 9 update for git-lfs

Published: January 7, 2026

Security Bulletin ID SB2026010716

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Link following (CVE-ID: CVE-2025-26625)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to an insecure link following issue. When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. A remote attacker can write arbitrary files using crafted links, leading to remote code execution.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2026:0199