Skip to main content

NetworkManager EUVDEUVD-2026-34207

| CVE-2026-10805 MEDIUM
OS Command Injection (CWE-78)
2026-06-04 redhat GHSA-rwc7-7qq8-w477
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.7 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 05:44 vuln.today
CVE Published
Jun 04, 2026 - 05:21 nvd
MEDIUM 6.7

DescriptionCVE.org

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

AnalysisAI

Local privilege escalation in NetworkManager's dhclient backend allows a low-privileged local user to execute arbitrary OS commands with elevated privileges by supplying a crafted Manufacturer Usage Description (MUD) URL. Exploitation is strictly limited to systems where an administrator has explicitly reconfigured NetworkManager to use the dhclient backend - a non-default setting - meaning the vast majority of deployments are unaffected by design. CVSS 6.7 (local vector, high complexity, user interaction required) accurately reflects the constrained exploitation conditions; no public exploit code or CISA KEV listing exists at time of analysis.

Technical ContextAI

NetworkManager is the standard network management daemon on Linux, supporting multiple DHCP backends including its own internal client (the default) and the legacy ISC dhclient. The dhclient backend processes Manufacturer Usage Description (MUD) URLs - an IoT-oriented mechanism defined in RFC 8520 that allows devices to declare their intended network behavior via a URL supplied during DHCP negotiation. CWE-78 (Improper Neutralization of Special Elements Used in an OS Command - OS Command Injection) indicates that MUD URL content is passed unsanitized into a shell script or exec call within the dhclient integration layer, allowing injection of arbitrary shell commands. Affected CPE strings cover Red Hat Enterprise Linux 6, 7, 8, and 10, as well as Multicluster Engine for Kubernetes, all within the Red Hat product ecosystem.

RemediationAI

No vendor-released patch version has been independently confirmed from the available data - the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-10805 and the associated Bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=2484613 should be monitored for patch availability and exact fix versions. As an immediate compensating control, administrators should audit whether dhclient has been explicitly set as the NetworkManager DHCP backend by checking /etc/NetworkManager/NetworkManager.conf for the directive 'dhcp=dhclient'; if present, reverting to the default internal backend ('dhcp=internal') eliminates the attack surface entirely with minimal operational impact, as the internal backend supports standard DHCP functionality. If dhclient is operationally required for specific features, restrict local interactive shell access for untrusted users on affected systems and audit which accounts have permissions to influence network interface configuration or trigger DHCP renegotiation events.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

EUVD-2026-34207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy