[Pkg-utopia-maintainers] Bug#1139285: network-manager: CVE-2026-10805
Moritz Mühlenhoff
jmm at inutil.org
Mon Jun 8 10:39:25 BST 2026
Source: network-manager
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for network-manager.
CVE-2026-10805[0]:
| A flaw was found in NetworkManager. This local privilege escalation
| vulnerability exists in NetworkManager's dhclient backend when
| processing malformed Manufacturer Usage Description (MUD) URLs. A
| local user can exploit this flaw to escalate privileges by
| triggering a script via a crafted MUD URL, provided an administrator
| has explicitly configured NetworkManager to use dhclient. This issue
| does not affect default configurations of NetworkManager.
The only reference here is https://bugzilla.redhat.com/show_bug.cgi?id=2484613
but given that NM defaults to the internal DHCP client since ages and
forky doesn't even include dhclient anymore, this seems really harmless
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10805
https://www.cve.org/CVERecord?id=CVE-2026-10805
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-utopia-maintainers
mailing list