{"cve":{"cve_id":"CVE-2026-1386","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00195,"epss_percentile":0.0931,"epss_as_of":"2026-06-23","description":"A UNIX symbolic link following issue in the jailer component in Firecracker version  v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. \n\nTo mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.","published_at":"2026-01-23T20:25:02.188000Z","last_modified_at":null,"cvss_v3_score":6.0,"cvss_v3_vector":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","cvss_v3_severity":"MEDIUM","cvss_v4_score":6.0,"cvss_v4_vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H","cvss_v4_severity":"MEDIUM","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-61"],"nvd_references":["https://aws.amazon.com/security/security-bulletins/2026-003-AWS/","https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1","https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2","https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:28:58.914564Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"H","value_label":"High"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"N","value_label":"None"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"L","value_label":"Local"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"H","value_label":"High"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"H","value_label":"High"},{"metric":"SA","name":"Availability (Subsequent System)","value":"H","value_label":"High"}]},"affected":[{"vendor_slug":"aws","vendor_name":"AWS","product_slug":"firecracker","product_name":"Firecracker","version_start":"1.13.2","version_start_inclusive":true,"version_end":"1.13.2","version_end_inclusive":true,"cpe23_uri":"cve5:aws:firecracker:1.13.2:1.13.2"},{"vendor_slug":"aws","vendor_name":"AWS","product_slug":"firecracker","product_name":"Firecracker","version_start":"1.14.1","version_start_inclusive":true,"version_end":"1.14.1","version_end_inclusive":true,"cpe23_uri":"cve5:aws:firecracker:1.14.1:1.14.1"}],"exploit_refs":[],"news":[],"references":[{"url":"https://aws.amazon.com/security/security-bulletins/2026-003-AWS/","source_type":"MISC","tags":[]},{"url":"https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1","source_type":"PATCH","tags":["patch"]},{"url":"https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2","source_type":"PATCH","tags":["patch"]},{"url":"https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-01-23T20:25:02.188000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:50:44.924477Z","label":"CVSS score revised","source":"cvelistv5"}]}