CVE-2026-1386 Overview
A UNIX symbolic link (symlink) following vulnerability exists in the jailer component of Firecracker, the open-source virtualization technology developed by AWS for creating and managing secure, multi-tenant container and function-based services. This vulnerability allows a local host user with write access to pre-created jailer directories to overwrite arbitrary host files through a symlink attack during the initialization copy phase at jailer startup.
The attack is possible when the jailer is executed with root privileges, enabling an attacker to exploit a race condition during file operations to redirect writes to arbitrary locations on the host filesystem. This type of vulnerability (CWE-61: UNIX Symbolic Link Following) represents a classic Time-of-Check Time-of-Use (TOCTOU) attack pattern that can lead to privilege escalation or system compromise.
Critical Impact
Local attackers with write access to jailer directories can overwrite arbitrary host files when the Firecracker jailer runs as root, potentially leading to system compromise or denial of service.
Affected Products
- Firecracker v1.13.1 and earlier versions
- Firecracker v1.14.0
- Linux-based deployments running Firecracker jailer with root privileges
Discovery Timeline
- January 23, 2026 - CVE-2026-1386 published to NVD
- January 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1386
Vulnerability Analysis
The vulnerability resides in Firecracker's jailer component, which is responsible for setting up the sandbox environment for microVMs. During the jailer's initialization phase, it performs file copy operations to populate the jail directory with necessary resources. When the jailer runs with root privileges, it follows symbolic links without proper validation, allowing an attacker to exploit this behavior.
The flaw manifests during the initialization copy process where the jailer copies files into pre-created directories. If an attacker has write access to these directories, they can create a symbolic link pointing to a sensitive file on the host system (such as /etc/passwd, /etc/shadow, or system configuration files). When the jailer performs its copy operation, it follows the symlink and overwrites the target file with attacker-controlled content.
This attack requires local access and specific preconditions: the attacker must have write permissions to the jailer directories before initialization occurs, and the jailer must be running with root privileges. The local attack vector and elevated privilege requirements limit the attack surface, but in multi-tenant cloud environments where Firecracker is commonly deployed, these conditions may be achievable.
Root Cause
The root cause is insufficient validation of file paths during copy operations in the jailer component. The jailer fails to properly check whether destination paths resolve to symbolic links before performing write operations. This lack of safe file handling allows an attacker to redirect file operations to arbitrary locations outside the intended jail directory.
Proper mitigation requires using safe file operations that either refuse to follow symbolic links (such as using O_NOFOLLOW flag) or validate the resolved path against expected boundaries before performing any write operations.
Attack Vector
The attack follows a classic symlink exploitation pattern:
- An attacker identifies a Firecracker deployment where they have write access to the pre-created jailer directories
- Before the jailer starts, the attacker creates a symbolic link in the jailer directory pointing to a sensitive host file
- When the jailer initializes and copies files, it follows the symlink and overwrites the target file
- Depending on the target file, this can result in privilege escalation, denial of service, or system compromise
The attack requires the jailer to run with root privileges, as non-privileged execution would limit the files that could be overwritten. In production deployments, Firecracker jailer is often run with elevated privileges to perform necessary sandboxing operations, making this a realistic attack scenario.
Detection Methods for CVE-2026-1386
Indicators of Compromise
- Unexpected symbolic links appearing in Firecracker jailer directories (typically under /srv/jailer/ or custom configured paths)
- Modifications to critical system files that coincide with Firecracker jailer startup events
- Audit log entries showing file overwrites in sensitive system directories correlated with jailer process activity
- Presence of symlinks in jailer directories pointing to files outside the expected jail hierarchy
Detection Strategies
- Enable file integrity monitoring (FIM) on Firecracker jailer directories to detect symbolic link creation
- Monitor for symlink() and link() system calls in jailer directories using auditd or eBPF-based monitoring
- Implement real-time alerting for any file modifications in system-critical directories during jailer startup windows
- Deploy SentinelOne's Behavioral AI to detect anomalous file system operations associated with containerization processes
Monitoring Recommendations
- Configure auditd rules to monitor file operations in jailer directories: auditctl -w /srv/jailer -p wa -k firecracker_jailer
- Implement alerting for any symbolic link creation in jailer paths before microVM initialization
- Monitor Firecracker process execution patterns for unexpected file access outside jail boundaries
- Review and audit permissions on pre-created jailer directories regularly
How to Mitigate CVE-2026-1386
Immediate Actions Required
- Upgrade Firecracker to version v1.13.2 or v1.14.1 or later immediately
- Audit existing jailer directory permissions and remove write access for untrusted users
- Review and restrict which users have the ability to create files in jailer directories
- Consider running Firecracker jailer without root privileges where operationally feasible
Patch Information
AWS has released patched versions of Firecracker that address this vulnerability. Users should upgrade to:
- Version v1.13.2 for the 1.13.x branch - see GitHub Firecracker Release v1.13.2
- Version v1.14.1 for the 1.14.x branch - see GitHub Firecracker Release v1.14.1
Additional details are available in the AWS Security Bulletin 2026-003 and the GitHub Security Advisory GHSA-36j2-f825-qvgc.
Workarounds
- Restrict write access to jailer directories to only trusted administrative users using strict filesystem permissions
- Run the Firecracker jailer without root privileges if your deployment architecture permits
- Implement mandatory access control (MAC) policies using SELinux or AppArmor to prevent symlink-based attacks on the jailer directories
- Create jailer directories immediately before use rather than pre-creating them, reducing the window for symlink placement
# Configuration example
# Secure jailer directory permissions - restrict write access
chmod 755 /srv/jailer
chown root:root /srv/jailer
# Remove write access for all non-root users on specific jail paths
find /srv/jailer -type d -exec chmod 755 {} \;
# Enable auditd monitoring for jailer directories
auditctl -w /srv/jailer -p wa -k firecracker_jailer_monitor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
