Skip to main content

spice-vdagent CVE-2026-57966

| EUVDEUVD-2026-40050 MEDIUM
Path Traversal (CWE-22)
2026-06-29 redhat GHSA-gg66-359m-pmcc
4.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.4 MEDIUM

AV:L reflects SPICE protocol channel access; PR:H captures mandatory SPICE host control; I:H for arbitrary guest file write; no confidentiality or availability impact applies.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 29, 2026 - 09:18 vuln.today
CVE Published
Jun 29, 2026 - 07:53 cve.org
MEDIUM 4.4

DescriptionCVE.org

A path traversal vulnerability was found in spice-vdagent. This flaw allows a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system. This occurs because the filename provided by the SPICE host during file transfers is not properly sanitized before being used. An attacker could exploit this to write to sensitive locations with the privileges of the spice-vdagent process, typically the logged-in user. This issue requires the SPICE host to be untrusted or compromised for exploitation.

AnalysisAI

Path traversal in spice-vdagent enables a malicious or compromised SPICE host to write arbitrary files to any location on the guest operating system during file transfer operations. Affecting Red Hat Enterprise Linux versions 6 through 10, the flaw stems from unsanitized filenames supplied by the SPICE host before use by the vdagent process, allowing writes at the privilege level of the logged-in guest user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise or gain control of SPICE host
Delivery
Initiate SPICE file transfer to target guest
Exploit
Supply path-traversal filename (e.g., '../../.bashrc')
Execution
spice-vdagent processes unsanitized filename
Persist
Arbitrary file written to guest filesystem at traversed path
Impact
Sensitive guest files overwritten with attacker-controlled content

Vulnerability AssessmentAI

Exploitation Exploitation requires that the SPICE host be either untrusted or explicitly compromised - the attacker must exercise control over the host side of the SPICE virtualization channel, representing a high-privilege prerequisite (PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.4 (Medium) with vector AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N accurately reflects the constrained threat model. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained control of the SPICE virtualization host - for example, through a compromised hypervisor management plane or a rogue cloud infrastructure operator - initiates a SPICE file transfer to a target guest VM, supplying a crafted filename such as '../../.bashrc' or '../../etc/cron.d/implant'. The spice-vdagent process on the guest, running with the logged-in user's privileges, writes the attacker-controlled file content to the traversed path, potentially overwriting shell initialization files or planting scheduled tasks. …
Remediation No explicit patched package version is confirmed in the available intelligence; consult the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-57966 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2493582 for the latest errata package. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Share

CVE-2026-57966 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy