CVE-2026-44933

Vulnerability

The PluginScript component attempts to chroot(2) a plugin to the repoManagerRoot. In standard configurations, or when using --root, this root is frequently / (the system root). When the chroot target is /, the call is effectively a no-op, allowing the plugin's traversed path to execute host binaries (like /bin/bash) with root privileges. The exact affected versions are not disclosed in the available references [1].

Exploitation

An attacker with the ability to install or control a plugin can trigger the execution of arbitrary host binaries. No additional authentication or network position is required beyond the existing plugin installation mechanism, as the chroot does not actually confine the plugin's file system view. The concrete steps involve configuring the plugin execution environment such that the repoManagerRoot is /; the plugin then calls a binary on the host filesystem, which runs with root privileges due to the dropped privileges of the parent process [1].

Impact

Successful exploitation allows an attacker to execute arbitrary host binaries as root. This results in full compromise of the affected system, including complete loss of confidentiality, integrity, and availability. The attacker gains root-level access and can execute any command on the host [1].

Mitigation

Not yet disclosed in the available references [1]. The vendor (SUSE) has not published a fixed version or workaround. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. Users should monitor the referenced bug tracker for upcoming patches.