CVE-2026-26065 Overview
CVE-2026-26065 is a critical Path Traversal vulnerability affecting Calibre, the popular cross-platform e-book manager used for viewing, converting, editing, and cataloging e-books. The vulnerability exists in the PDB (Palm Database) readers, specifically in both 132-byte and 202-byte header variants, allowing attackers to write arbitrary files with arbitrary extensions and content to any location where the user has write permissions.
The vulnerability enables malicious actors to craft specially formatted PDB e-book files that, when processed by Calibre, can write files outside the intended extraction directory. Files are written in binary write mode (wb), which silently overwrites existing files without warning, significantly increasing the potential for damage.
Critical Impact
This vulnerability allows arbitrary file writes that can lead to code execution through overwriting critical system or application files, and Denial of Service through corruption of important files on the victim's system.
Affected Products
- Calibre versions 9.2.1 and below
- All platforms (Windows, macOS, Linux) running vulnerable Calibre versions
- Systems processing untrusted PDB e-book files
Discovery Timeline
- 2026-02-20 - CVE-2026-26065 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26065
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) exists in Calibre's PDB reader components. The flaw stems from inadequate validation of file paths extracted from PDB e-book metadata. When processing image files embedded within PDB format e-books, the application fails to properly sanitize filenames, allowing directory traversal sequences (such as ../) to escape the intended extraction container.
The vulnerability affects two distinct reader implementations: reader132.py for 132-byte PDB headers and reader202.py for 202-byte headers. Both implementations suffered from the same fundamental flaw—trusting user-controlled filename data from the PDB file structure without proper path validation.
The local attack vector requires user interaction, as a victim must open a maliciously crafted PDB file. However, given Calibre's widespread use for managing e-book libraries and its integration with various e-book sources, the attack surface is significant.
Root Cause
The root cause is insufficient input validation in the PDB image extraction routines. When extracting images from PDB files, the vulnerable code directly used the image name from the file metadata to construct the output path without verifying that the resulting path remained within the intended output directory. This allowed attackers to include path traversal sequences in image names, causing files to be written to arbitrary locations.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious PDB e-book file containing embedded images with path traversal sequences in their names. When a victim opens this file with a vulnerable version of Calibre, the application extracts the images to locations outside the intended directory.
Potential attack scenarios include:
- Overwriting configuration files to achieve code execution on application restart
- Replacing executable files or scripts in user-accessible locations
- Corrupting critical user documents causing data loss
- Planting malicious files in startup directories for persistence
The security patch introduces a new image_dest() function that validates extracted image paths remain within the container directory:
def image_dest(self, name, cwd):
base = os.path.abspath(cwd)
if not base.endswith(os.sep):
base += os.sep
ans = os.path.abspath(os.path.join(base, name))
if os.path.commonprefix([ans, base]) != base:
ans = ''
return ans
Source: GitHub Commit
The fix in reader202.py ensures all image extractions use the validated destination path:
if not os.path.exists(os.path.join(output_dir, 'images/')):
os.makedirs(os.path.join(output_dir, 'images/'))
images = []
with CurrentDir(os.path.join(output_dir, 'images/')) as cwd:
for i in range(self.header_record.non_text_offset, len(self.sections)):
name, img = self.get_image(i)
name = as_unicode(name or b'')
if name and (dest := self.image_dest(name, cwd)):
images.append(name)
with open(dest, 'wb') as imgf:
self.log.debug(f'Writing image {name} to images/')
imgf.write(img)
Source: GitHub Commit
Detection Methods for CVE-2026-26065
Indicators of Compromise
- Unexpected file modifications outside of Calibre's library directories during e-book import operations
- PDB files containing image entries with path traversal sequences (../, ..\\, or absolute paths)
- Newly created or modified files in system directories coinciding with Calibre usage
- Unexpected application crashes or configuration changes after opening PDB files
Detection Strategies
- Monitor file system activity during Calibre e-book import operations for writes outside the library directory
- Implement file integrity monitoring on critical system files and startup directories
- Scan incoming PDB files for path traversal patterns in embedded metadata
- Deploy endpoint detection rules to alert on suspicious file writes correlating with Calibre process activity
Monitoring Recommendations
- Enable detailed logging for Calibre operations, particularly e-book import and conversion activities
- Monitor for the creation of files with unusual extensions in system directories
- Implement behavioral analysis to detect Calibre writing files to unexpected locations
- Review and audit recently imported PDB files from untrusted sources
How to Mitigate CVE-2026-26065
Immediate Actions Required
- Upgrade Calibre to version 9.3.0 or later immediately
- Avoid opening PDB e-book files from untrusted sources until the upgrade is complete
- Review systems for signs of exploitation if untrusted PDB files have been recently processed
- Consider restricting Calibre's file system access using application sandboxing where available
Patch Information
The vulnerability has been addressed in Calibre version 9.3.0. The fix introduces path validation in the image_dest() function for both PDB reader variants, ensuring extracted images cannot escape the intended container directory. The patch is available in the official GitHub commit.
For detailed information about the security issue, refer to the GitHub Security Advisory.
Workarounds
- Avoid processing PDB format e-books from untrusted sources until patched
- Run Calibre in a sandboxed environment or container with restricted file system access
- Use a dedicated user account with minimal privileges for running Calibre
- Convert untrusted PDB files using an isolated system before importing into your primary library
# Example: Run Calibre with restricted file system access using firejail (Linux)
firejail --private=~/calibre-sandbox calibre
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
