CVE-2026-44932
Description
Unsanitized DHCP options in wicked before 0.6.79 allow shell command injection via leaseinfo files, enabling remote code execution by a malicious DHCP server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unsanitized DHCP options in wicked before 0.6.79 allow shell command injection via leaseinfo files, enabling remote code execution by a malicious DHCP server.
Vulnerability
The wicked network configuration framework (versions before 0.6.79) does not sanitize DHCP option values such as POSIXTZSTRING when writing them to /run/wicked/leaseinfo.* files. The function __ni_leaseinfo_print_string() outputs the value enclosed in single quotes without escaping, allowing shell metacharacters to be injected [1]. Affected products include openSUSE Leap 15.4/15.5, SUSE Linux Enterprise Server 15 SP4/SP5/SP7, and others [2][3][4].
Exploitation
An attacker on the same network segment can operate a malicious DHCP server that sends crafted DHCP responses containing shell metacharacters in options like POSIXTZSTRING. The wicked client writes these unsanitized values to leaseinfo files. If a third-party script sources these files (e.g., via source /run/wicked/leaseinfo.*), the injected commands execute in the context of that script [1]. No authentication is required; only network adjacency is needed.
Impact
Successful exploitation leads to arbitrary command execution with the privileges of the script sourcing the leaseinfo file. This can result in full system compromise, including privilege escalation to root if the script runs with elevated privileges. The CVSS v3.1 score is 8.8 (High) with vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [1][2].
Mitigation
The vulnerability is fixed in wicked version 0.6.79, released on 2026-06-10 [4]. SUSE has issued security updates for multiple products (SUSE-SU-2026:2354-1, SUSE-SU-2026:2353-1, SUSE-SU-2026:2349-1) [2][3][4]. Users should update wicked to 0.6.79 or later. As a workaround, avoid sourcing leaseinfo files from untrusted scripts, or apply input validation on the file contents.
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient sanitization of DHCP option values written to leaseinfo files allows shell metacharacters to be interpreted when third-party scripts source those files."
Attack vector
An attacker on the local or adjacent network operates a malicious DHCP server that responds to a victim's DHCP request with crafted DHCP options containing shell metacharacters (e.g., backticks, `$()`, semicolons). Wicked writes the unsanitized option values into `/run/wicked/leaseinfo.*` files. When a third-party script (such as dracut's `ifup.sh` [ref_id=1]) sources that file, the shell interprets the metacharacters, resulting in arbitrary command execution on the victim machine. The CVSS vector indicates the attack requires adjacent network access, low complexity, no privileges, and no user interaction.
Affected code
The vulnerability resides in wicked's leaseinfo file generation (`/run/wicked/leaseinfo.*`). The code at `src/leaseinfo.c` (line 781 in the referenced commit) writes DHCP option values into these files without sanitizing shell metacharacters. Wicked itself does not source these files, but third-party scripts (e.g., dracut's `ifup.sh`, cloud-netconfig, SystemImager scripts) that source the leaseinfo files will inadvertently execute the injected commands.
What the fix does
The patch in wicked 0.6.79 addresses the issue by sanitizing DHCP option values before writing them to leaseinfo files. Specifically, the fix ensures that values are properly single-quoted or escaped so that shell metacharacters are treated as literal data rather than executable code. The netconfig path (`/run/netconfig/<ifname>/netconfig*`) already discards input that does not have strictly single-quoted values (`^'[^[']*]'`), but the leaseinfo files themselves were not protected. The update closes the injection vector at the source by sanitizing the output in `src/leaseinfo.c`.
Preconditions
- networkAttacker must be on the same local/adjacent network as the victim
- configVictim must use wicked as its DHCP client and a third-party script (e.g., dracut) that sources /run/wicked/leaseinfo.* files
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- bugzilla.suse.com/show_bug.cginvd
- github.com/openSUSE/wicked/releases/tag/version-0.6.79nvd
- lists.suse.com/pipermail/sle-security-updates/2026-June/026688.htmlnvd
- lists.suse.com/pipermail/sle-security-updates/2026-June/026689.htmlnvd
- lists.suse.com/pipermail/sle-security-updates/2026-June/026690.htmlnvd
- lists.suse.com/pipermail/sle-security-updates/2026-June/026691.htmlnvd
News mentions
0No linked articles in our index yet.