Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Superuser execution grants full node control, warranting C:H over the vendor's C:L; all other vendor metrics are well-supported by the description.
Primary rating from Vendor (Nokia).
CVSS VectorVendor: Nokia
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.
AnalysisAI
Local privilege escalation in Nokia SR Linux affects multiple release trains and allows an already-authenticated user holding elevated local privileges to execute arbitrary commands as superuser by exploiting unsanitized format string handling (CWE-134). The attack vector is local and requires high prior privileges (CVSS AV:L/PR:H), significantly limiting the exposure surface compared to a network-exploitable flaw. No public exploit code and no CISA KEV listing have been identified at time of analysis; Nokia has released patches across all affected branch lines.
Technical ContextAI
CWE-134 (Use of Externally-Controlled Format String) occurs when user-supplied input is passed to a format function (e.g., printf-family) without sanitization, allowing injection of format specifiers such as %n, %x, or %s to read/write arbitrary memory or redirect execution. In Nokia SR Linux - a Linux-based network operating system for IP/MPLS routing and data center fabric scenarios (CPE cpe:2.3:a:nokia:sr_linux:*) - the flaw resides in the input validation layer, meaning a crafted input submitted through an authenticated management interface or CLI session triggers the format string mishandling. The scope change is not present (S:U), indicating the exploit remains within the SR Linux process boundary, but successful exploitation yields superuser-level command execution, which effectively compromises the entire node.
RemediationAI
Upgrade to a fixed SR Linux release: 23.10.8 or later for the 23.10.x train, 24.10.6 or later for the 24.10.x train, or 25.7.2 or later for the 25.7.x train, as documented in the Nokia security advisory at https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-10262/. Because exploitation requires a locally authenticated user with high privileges, operators who cannot immediately patch should audit and restrict the set of accounts holding elevated SR Linux CLI roles, enforce multi-factor authentication or privileged access workstation (PAW) controls for management access, and review SR Linux role-based access control (RBAC) policies to enforce least-privilege on all operator accounts. These compensating controls reduce the attacker's opportunity but do not eliminate the underlying format string flaw, so patching remains the definitive remediation.
Same weakness CWE-134 – Use of Externally-Controlled Format String
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210164
GHSA-h3gf-qq8m-r4r7