How to Fix CVE-2026-6968: tough (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-6968 is a sibling vulnerability in the same vendor advisory as CVE-2026-6966. Applying the patched build named in the primary write-up closes this CVE as well.

What's different about CVE-2026-6968?

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.

We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-6968

Apply the patched build per the primary write-up: How to Fix CVE-2026-6966.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-6968 fixed by the same patch as CVE-2026-6966?

Yes. CVE-2026-6968 ships in the same vendor advisory as CVE-2026-6966. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-6968?

The CVSS base score is 7.1 (High).

Is it being exploited?

It is not currently listed in CISA KEV.

References

• Official vendor advisory: https://aws.amazon.com/security/security-bulletins/2026-019-aws/
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-6968
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary write-up: How to Fix CVE-2026-6966

*Part of the tough bundle. Full procedure at CVE-2026-6966.*