Skip to main content

Suse EUVDEUVD-2026-20455

| CVE-2026-5208 HIGH
OS Command Injection (CWE-78)
2026-04-08 GitLab GHSA-745q-62mf-gxpx
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Apr 16, 2026 - 06:02 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.0.0
Analysis Updated
Apr 16, 2026 - 01:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:21 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 11:46 euvd
EUVD-2026-20455
Analysis Generated
Apr 08, 2026 - 11:46 vuln.today
CVE Published
Apr 08, 2026 - 11:36 nvd
HIGH 8.2

DescriptionCVE.org

Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names

AnalysisAI

Command injection in CoolerControl daemon (coolercontrold) versions prior to 4.0.0 allows high-privileged local attackers to escalate privileges to root by embedding malicious bash commands in alert configuration names. The vulnerability enables authenticated administrators to execute arbitrary system commands with root privileges through the alert management interface. EPSS score of 0.05% (17th percentile) indicates low current exploitation probability, with no active exploitation confirmed and CISA SSVC assessment marking exploitation status as 'none' and automatable as 'no'.

Technical ContextAI

CoolerControl is a Linux cooling device management daemon that runs with elevated privileges to control hardware. The vulnerability resides in the alert handling code (alerts.rs), specifically at line 576 in version 3.1.0, where user-supplied alert names are processed without proper input sanitization before being passed to shell command execution contexts. This represents a classic CWE-78 OS command injection flaw where attacker-controlled strings are interpolated into system calls. Because coolercontrold operates as a privileged daemon (requiring root or equivalent to manage hardware), successful command injection results in code execution at the highest privilege level. The scope change in the CVSS vector (S:C) reflects the privilege escalation from high-privileged user (PR:H) to root.

RemediationAI

Upgrade coolercontrold to version 4.0.0 or later, available at https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0. The fixed release addresses the command injection vulnerability in alert name processing. For environments unable to immediately upgrade, restrict access to the coolercontrold alert configuration interface to only absolutely trusted administrators through OS-level permission hardening, and audit all existing alert configurations for suspicious content (look for shell metacharacters like $, `, ;, |, &, or newlines in alert names). Monitor coolercontrold process execution for unexpected child processes or shell invocations. Note that disabling the alerts feature entirely (if supported by configuration) eliminates the attack surface but removes hardware monitoring capabilities. No workaround fully mitigates the risk - upgrading to 4.0.0 is the only complete remediation.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-20455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy