Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Repo metadata is network-delivered (AV:N) with no attacker privileges (PR:N) but requires the victim to add/refresh the malicious repo (UI:R); root file overwrite yields total integrity/availability loss and code-execution-driven confidentiality impact.
Primary rating from Vendor (suse).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.
AnalysisAI
Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control the content of a repository's repomd.xml metadata (a hosted malicious repo, a compromised mirror, or a MITM position on repository traffic) AND the victim system must add or refresh that repository via libzypp/zypper - this is the UI:R user-interaction requirement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are broadly consistent and point to a serious but not trivially remote-mass-exploitable issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up (or MITM-substitutes) a software repository whose repomd.xml contains a gpg-pubkey keyhint value embedding a relative path traversal sequence. When an administrator or automated tooling adds or refreshes that repository, vulnerable libzypp resolves the attacker-controlled keyhint as a filesystem path and writes/overwrites a file as root - for example dropping a cron job, sudoers fragment, or SSH key - yielding root code execution. … |
| Remediation | Vendor-released patch: upgrade libzypp to 17.38.12 or later, which fixes the keyhint regex to reject path separators (upstream commit https://github.com/openSUSE/libzypp/commit/294b1bad442d089ca671c5c03adc8031e3b29e04; tracking bug https://bugzilla.suse.com/show_bug.cgi?id=1267426). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory systems running libzypp versions before 17.38.12. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant craf
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the c
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content i
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41406
GHSA-wp9x-wjhc-28mv