CVE-2026-32175: Absolute Path Traversal and Arbitrary File Write in .NET Core Archive Extraction

The .NET Core runtime and SDK incorporate robust mechanisms for managing dependencies and extracting application assets. These mechanisms handle standard archive formats, predominantly ZIP-based structures such as NuGet packages (.nupkg) and single-file application bundles. The extraction functionality parses the internal metadata of these archives to determine the appropriate filesystem hierarchy required for deployment. The vulnerability, designated as CVE-2026-32175, manifests within this parsing and extraction layer.

The specific flaw is classified as CWE-36: Absolute Path Traversal. The extraction components implicitly trust the file paths embedded within the archive metadata. When an archive is processed, the system reads the embedded entry names and utilizes them to construct the destination path on the local filesystem. The system assumes that all paths are relative to the designated extraction base directory.

Attackers exploit this assumption by manipulating the archive structure prior to delivery. By modifying the entry names to contain explicit absolute paths, the attacker forces the extraction routine to direct file write operations outside the intended sandbox boundary. The resulting arbitrary file write capability provides a mechanism for attackers to overwrite critical application binaries, configuration files, or other sensitive components.

The root cause of the vulnerability resides in the inadequate sanitization of file paths during the archive extraction process. Standard archive formats mandate that internal entry names represent a relative directory structure. However, the format specification does not inherently prevent the inclusion of absolute paths, such as C:\Windows\System32\malicious.dll or rooted paths like \Users\Public\payload.exe. The responsibility for validating these paths falls entirely on the extracting application.

In vulnerable versions of the .NET SDK and runtime, the underlying logic utilizes standard file stream APIs to write extracted content to disk. The application constructs the final target path by concatenating the base extraction directory with the archive entry name. The concatenation logic fails to perform robust canonicalization or validation. When the Path.Combine method or equivalent concatenation routine encounters an absolute path as the second argument, it frequently discards the base directory and returns the absolute path directly.

Consequently, the extraction stream opens a file handle at the exact location specified by the attacker-controlled absolute path. The process fails to strip root directory prefixes or drive letters from the entry metadata. As long as the execution context possesses the requisite write permissions for the specified destination, the file system operation succeeds, writing the malicious payload to the arbitrary location.

The mitigation strategy for this vulnerability involves comprehensive updates to the fundamental dependency libraries responsible for package management, primarily NuGet.Packaging and NuGet.ProjectModel. The fix introduces rigorous path canonicalization prior to any file system operations. Microsoft released a patched version of NuGet.Packaging (version 7.0.2-rc.21506), which is subsequently bundled into the updated .NET Core runtimes.

The patched logic relies on resolving the absolute, canonical representation of both the intended target directory and the final destination path. The extraction routine invokes Path.GetFullPath() on the resulting concatenated string. The system then strictly verifies that the resolved destination path is a proper subdirectory of the resolved base directory using a StartsWith() validation check. Any entry that evaluates to a path outside the permitted directory structure throws an exception, aborting the extraction of that specific file.

The implementation of this validation boundary ensures that absolute path traversal attempts are definitively blocked. By forcing all generated paths to resolve internally and comparing the roots, the patch mitigates both absolute path injection and complex relative traversal vectors (e.g., deeply nested ../ sequences) that resolve outside the base boundary.

Adversaries leverage this vulnerability primarily through malicious package injection within development and deployment pipelines. The initial phase of the attack involves crafting a .nupkg archive containing standard project dependencies alongside a maliciously modified file entry. The attacker alters the ZIP central directory record to specify an absolute path for the malicious entry. The package is then published to a public registry or a compromised internal feed.

When a developer initiates a dotnet restore command, or an automated CI/CD runner processes a build definition, the .NET SDK retrieves and extracts the package. The extraction routine operates under the security context of the user executing the build. If the build runs with elevated privileges, the attacker gains the ability to overwrite system-level executables or configuration files across the entire operating system. Even under standard user permissions, the attacker can overwrite user-profile binaries, modifying .profile scripts, or planting DLLs for search-order hijacking.

A secondary exploitation vector involves single-file application bundles and WebAssembly (WASM) build tasks. Attackers can distribute tampered single-file installers to end users. Upon execution, the installer attempts to extract its internal components, triggering the vulnerable path resolution logic. In WASM scenarios, manipulated metadata fields such as integrity or hash properties within build configurations can propagate absolute paths into the publishing phase, causing arbitrary file creation on the build server.

The official CVSS assessment rates the severity as 7.5 (High), utilizing the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The integrity impact is classified as high due to the complete circumvention of filesystem boundary protections. The vulnerability directly enables an adversary to tamper with the host system by arbitrarily writing data. The specific consequences vary based on the permissions of the executing process, but the baseline impact involves unauthorized modification of the local environment.

Although the confidentiality and availability metrics are officially scored as none, the secondary effects of arbitrary file modification often cascade into full system compromise. By overwriting an existing executable or placing a malicious dynamically linked library (DLL) into a known search path, an attacker establishes a reliable execution vector. Subsequent invocation of the targeted binary will inadvertently load and execute the attacker's payload.

The network attack vector emphasizes that exploitation does not require local access to the target host. The automated nature of package resolution in modern software supply chains means that remote systems will pull and execute the vulnerable logic simply by processing a dependency manifest. The lack of required user interaction elevates the risk profile significantly for automated build infrastructure and containerized CI/CD environments.

The primary remediation strategy requires updating the .NET runtimes and SDKs to the latest servicing releases. Administrators must deploy .NET 10.0.8, .NET 9.0.16, or .NET 8.0.27 to vulnerable environments. Verification of the installed versions can be conducted by executing the dotnet --info command on target systems and inspecting the reported SDK and runtime components.

Development environments utilizing Visual Studio must apply the corresponding integrated updates. Visual Studio 2026 must be updated to version 18.5.3, Visual Studio 2022 to version 17.14.31 or 17.12.20, and legacy versions patched accordingly. These updates ensure that the embedded NuGet and MSBuild components utilize the patched extraction logic during local development and debugging sessions.

A critical mitigation step involves the recompilation and redeployment of self-contained applications. Because self-contained deployments bundle the runtime components directly into the application distribution, updating the host system runtime does not remediate the application. Organizations must rebuild these applications using the patched SDKs to incorporate the updated NuGet.Packaging logic into the standalone binaries.