CVE-2026-31226

Published: May 12, 2026Modified: May 19, 2026Deferred

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process.

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/Jiayi-Pan/TinyZero

Source: cve@mitre.org

https://www.notion.so/CVE-2026-31226-35d1e139318881d19af5d63095c74579

Source: cve@mitre.org

Timeline

No history available yet.