CVE-2026-44932
HIGHindirect remote shell command injection via unsanitized DHCP options in wicked
Title source: cnaDescription
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
References (6)
Core 6
Core References
Issue Tracking issue-tracking
https://bugzilla.suse.com/show_bug.cgi?id=1265221
Release Notes release-notes
https://github.com/openSUSE/wicked/releases/tag/version-0.6.79
Vendor Advisory vendor-advisory
https://lists.suse.com/pipermail/sle-security-updates/2026-June/026688.html
Vendor Advisory vendor-advisory
https://lists.suse.com/pipermail/sle-security-updates/2026-June/026689.html
Vendor Advisory vendor-advisory
https://lists.suse.com/pipermail/sle-security-updates/2026-June/026690.html
Vendor Advisory vendor-advisory
https://lists.suse.com/pipermail/sle-security-updates/2026-June/026691.html
Scores
CVSS v3
8.8
EPSS
0.0030
EPSS Percentile
21.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
SUSE/wicked
< 0.6.79
Published
Jun 16, 2026
Tracked Since
Jun 16, 2026