Search criteria

1 vulnerability found for wicked by SUSE

CVE-2026-44932 (GCVE-0-2026-44932)

Vulnerability from cvelistv5 – Published: 2026-06-16 15:26 – Updated: 2026-06-18 03:55
VLAI?
Title
indirect remote shell command injection via unsanitized DHCP options in wicked
Summary
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
CWE
Assigner
Impacted products
Vendor Product Version
SUSE wicked Affected: 0 , < 0.6.79 (semver)
Create a notification for this product.
Credits
Wolfgang Frisch using Claude Opus
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44932",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T03:55:34.354Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/openSUSE/wicked",
          "defaultStatus": "unaffected",
          "modules": [
            "dhcp handling"
          ],
          "packageName": "wicked",
          "product": "wicked",
          "repo": "https://github.com/openSUSE/wicked",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "0.6.79",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Wolfgang Frisch using Claude Opus"
        }
      ],
      "datePublic": "2026-06-10T15:15:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003ePassing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.\u003c/div\u003e"
            }
          ],
          "value": "Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-16T15:26:51.919Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1265221"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/openSUSE/wicked/releases/tag/version-0.6.79"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026688.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026689.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026690.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-June/026691.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "indirect remote shell command injection via unsanitized DHCP options in wicked",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2026-44932",
    "datePublished": "2026-06-16T15:26:51.919Z",
    "dateReserved": "2026-05-08T12:29:48.966Z",
    "dateUpdated": "2026-06-18T03:55:34.354Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}