Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-37531 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | Automotive Grade Linux |
| Product | app-framework-main |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot-notation directory traversal sequences - it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT), which resolves dot-notation values relative to the work directory, allowing files to escape the intended installation directory.
Required Actions
Update AGL app-framework-main to a release newer than 17.1.12 immediately. Until updated, do not install widgets (.wgt packages) from untrusted sources and restrict the installer process privileges. In production deployments, verify filesystem integrity in widget installation target directories.
Who Is Affected?
This vulnerability affects app-framework-main in Automotive Grade Linux. Check whether your organization uses AGL (typically vehicle infotainment systems) and roll out the framework update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
