Skip to main content

Suse CVE-2026-24516

| EUVDEUVD-2026-14461 HIGH
Code Injection (CWE-94)
2026-03-23 mitre GHSA-fh3m-562m-w4f6
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 16:30 euvd
EUVD-2026-14461
Analysis Generated
Mar 23, 2026 - 16:30 vuln.today
CVE Published
Mar 23, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the "command:" prefix. This allows an attacker who can control metadata responses to inject and execute arbitrary OS commands with root privileges. The attack is triggered by sending a TCP packet with specific sequence numbers to the SSH port, which causes the agent to fetch metadata from http://169.254.169.254/metadata/v1.json. The vulnerability affects the command execution flow in internal/troubleshooting/actioner/actioner.go (insufficient validation), internal/troubleshooting/command/exec.go (direct exec.CommandContext call), and internal/troubleshooting/command/command.go (command parsing without sanitization). This can lead to complete system compromise, data exfiltration, privilege escalation, and potential lateral movement across cloud infrastructure.

AnalysisAI

A critical command injection vulnerability exists in DigitalOcean Droplet Agent through version 1.3.2, where the troubleshooting actioner component processes metadata from the metadata service endpoint without adequate input validation, allowing attackers who can control metadata responses to inject and execute arbitrary OS commands with root privileges. An attacker can trigger the vulnerability by sending a TCP packet with specific sequence numbers to the SSH port, causing the agent to fetch and execute malicious commands from the metadata service, potentially leading to complete system compromise, data exfiltration, and lateral movement across cloud infrastructure. A public proof-of-concept exists at https://github.com/poxsky/CVE-2026-24516-DigitalOcean-RCE, indicating active research and potential exploitation risk.

Technical ContextAI

The vulnerability resides in the DigitalOcean Droplet Agent, a privileged system service running on cloud instances that fetches configuration and troubleshooting directives from the metadata service endpoint at http://169.254.169.254/metadata/v1.json. The root cause is classified as inadequate input validation and command injection (CWE-78: Improper Neutralization of Special Elements used in an OS Command). The affected code spans three components: internal/troubleshooting/actioner/actioner.go (processes metadata without sanitizing command content after the 'command:' prefix), internal/troubleshooting/command/exec.go (directly executes commands via exec.CommandContext without prior sanitization), and internal/troubleshooting/command/command.go (parses commands without proper escaping or validation). The vulnerability is triggered when a TCP packet with specific sequence numbers is sent to the SSH port, which causes the agent to interpret the request as legitimate and fetch metadata containing malicious command directives that are subsequently executed in the context of the root-privileged process.

RemediationAI

Upgrade DigitalOcean Droplet Agent to the patched version immediately once available from DigitalOcean (check https://github.com/digitalocean/droplet-agent for release notes and security advisories). Until a patch is available, implement network-level mitigations by restricting or monitoring access to the metadata service endpoint (169.254.169.254) at the instance firewall level if operationally feasible, and ensure that only legitimate system components can trigger metadata service calls. Additionally, consider implementing host-based intrusion detection to monitor for suspicious command execution patterns originating from the Droplet Agent process, and review cloud infrastructure network segmentation to limit the blast radius of a compromised Droplet Agent. Apply the patch as soon as it is released, as this vulnerability allows unauthenticated remote code execution with root privileges on affected instances.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-24516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy