UNIX Symbolic Link (Symlink) Following Affecting firecracker package, versions <1.13.2>=1.14.0-dev <1.14.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-FIRECRACKER-15091588
- published25 Jan 2026
- disclosed23 Jan 2026
- creditUnknown
Introduced: 23 Jan 2026
CVE-2026-1386 (opens in a new tab)How to fix?
Upgrade firecracker to version 1.13.2, 1.14.1 or higher.
Overview
firecracker is an unofficial API client for the [Amazon Firecracker] microVM platform.
Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the jailer process. An attacker can overwrite arbitrary files on the host system by creating symbolic links in pre-created jailer directories and leveraging the initialization copy operation at startup when the process is executed with elevated privileges. This is only exploitable if the attacker has write access to the jailer directories and the process is run as root.
Workaround
This vulnerability can be mitigated by ensuring that untrusted users do not have write access to jailer directories and by avoiding running the process with root privileges when possible.