Skip to main content

KDE KCoreAddons CVE-2026-41526

| EUVDEUVD-2026-26004 MEDIUM
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-04-28 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 28, 2026 - 20:23 nvd
Patch available
Patch available
Apr 28, 2026 - 09:01 EUVD
Analysis Generated
Apr 28, 2026 - 08:00 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 07:30 euvd
EUVD-2026-26004
Analysis Generated
Apr 28, 2026 - 07:30 vuln.today
CVE Published
Apr 28, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.

AnalysisAI

KDE KCoreAddons before version 6.25 contains an improper neutralization of special elements vulnerability in the KShell::quoteArgs() function that fails to safely escape metacharacters and control characters, allowing local attackers with user interaction to inject arbitrary shell commands or terminal control sequences when user input is passed to shell execution contexts. Applications using this method to quote arguments for security-critical operations are affected; exploitation requires local access and user interaction but can achieve arbitrary code execution with user privileges.

Technical ContextAI

KShell::quoteArgs() is a utility function in KDE KCoreAddons designed to safely escape shell arguments by quoting them before passing to system shell execution. The vulnerability stems from inadequate handling of metacharacters as defined in CWE-150 (Improper Neutralization of Input Leaders in Data Stories). The root cause is that the quoting mechanism does not properly neutralize all special shell characters and control sequences, particularly control characters like \x01 which can be injected via the sendInput() terminal I/O function. This allows escape from the intended shell quoting context. The vulnerability affects any KDE-based application or library that depends on KCoreAddons and uses KShell::quoteArgs() in a security-critical context when processing untrusted user input destined for shell execution.

RemediationAI

Upgrade KDE KCoreAddons to version 6.25.0 or later. Distributions should update their KCoreAddons package and rebuild any dependent applications (particularly KDE Plasma components and applications). For environments unable to immediately upgrade, limit use of KShell::quoteArgs() in security-critical contexts; review application code using this function and replace with alternative argument-passing mechanisms that do not rely on shell quoting (such as direct execve() with argument arrays rather than shell string construction). Disable shell execution paths in applications where feasible, or implement additional input validation and sanitization above the KShell layer to filter control characters and metacharacters before passing to quoting functions. The official KDE security advisory at https://kde.org/info/security/advisory-20260427-1.txt provides vendor guidance on affected applications and recommended upgrade timelines.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2026-41526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy