Vulnerability Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Firecracker | < 1.13.2 |
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/2026-003-AWS/Vendor Advisory
- https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2Release NotesProduct
- https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1Release NotesProduct
- https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2Vendor Advisory
FAQ
What is CVE-2026-1386?
CVE-2026-1386 is a vulnerability with a CVSS score of 6.0 (MEDIUM). A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer dir...
How severe is CVE-2026-1386?
CVE-2026-1386 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1386?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Firecracker.