Skip to main content

Pardus Parental Control CVE-2026-9085

| EUVDEUVD-2026-41765 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-07-05 TR-CERT GHSA-686q-wrh7-cph5
8.8
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Local, low-complexity abuse by an unprivileged user (AV:L/AC:L/PR:L); the permission flaw lets tampering alter system-wide DNS, justifying scope change and high C/I/A.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 05, 2026 - 16:01 EUVD
Analysis Generated
Jul 05, 2026 - 15:20 vuln.today

DescriptionCVE.org

Incorrect Permission Assignment for Critical Resource, Improper Access Control vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus-Parental-Control allows DNS Spoofing.

This issue affects Pardus-Parental-Control: from <=0.5.1 before 0.7.0.

AnalysisAI

Local privilege abuse in TUBITAK BILGEM Pardus-Parental-Control (versions up to and including 0.5.1, fixed in 0.7.0) lets a low-privileged local user exploit insecure file/resource permissions to tamper with the tool's DNS configuration and perform DNS spoofing. Because the CVSS scope is changed (S:C), the impact reaches beyond the application to system-wide name resolution, enabling redirection of traffic, bypass of parental filtering, and interception of connections. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local session on Pardus host
Delivery
Locate misconfigured writable DNS/config resource
Exploit
Modify parental-control DNS settings
Execution
Redirect resolution to attacker resolver
Impact
Spoof DNS and bypass filtering/intercept traffic

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a Pardus host running Pardus-Parental-Control at version 0.5.1 or earlier, together with a low-privileged (non-root) local account (CVSS PR:L, AV:L) - no user interaction and no administrative rights are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) is elevated primarily by the scope change (S:C) and full high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A supervised, low-privileged user on a Pardus workstation logs into their normal account and, exploiting the overly permissive permissions on the parental-control DNS configuration, rewrites it to point at an attacker-chosen resolver. Subsequent name lookups for filtered or sensitive domains are answered by the malicious resolver, defeating parental filtering and enabling redirection or interception of the victim host's traffic. …
Remediation Upgrade to Pardus-Parental-Control 0.7.0 or later, which is the vendor-designated fixed release, as documented in the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0500. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all systems running Pardus-Parental-Control with affected versions (≤0.5.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9085 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy