No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Tue, 14 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 00:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Dao-ailab
Dao-ailab flash-attention |
|
| Vendors & Products |
Dao-ailab
Dao-ailab flash-attention |
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives without validating symlinks or filtering tar members. A local attacker can pre-plant a symlink in the predictable cache directory to redirect extracted binaries to an attacker-chosen location, enabling arbitrary file write with victim privileges during build time. | |
| Title | FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py | |
| Weaknesses | CWE-59 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-14T12:53:45.093Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62239
Updated: 2026-07-14T12:53:36.510Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T13:15:10Z