[Pkg-utopia-maintainers] Bug#1139285: Bug#1139285: network-manager: CVE-2026-10805
Michael Biebl
biebl at debian.org
Mon Jun 8 14:50:55 BST 2026
Hi Moritz
Am 08.06.26 um 11:39 schrieb Moritz Mühlenhoff:
> Source: network-manager
> X-Debbugs-CC: team at security.debian.org
> Severity: normal
> Tags: security
>
> Hi,
>
> The following vulnerability was published for network-manager.
>
> CVE-2026-10805[0]:
> | A flaw was found in NetworkManager. This local privilege escalation
> | vulnerability exists in NetworkManager's dhclient backend when
> | processing malformed Manufacturer Usage Description (MUD) URLs. A
> | local user can exploit this flaw to escalate privileges by
> | triggering a script via a crafted MUD URL, provided an administrator
> | has explicitly configured NetworkManager to use dhclient. This issue
> | does not affect default configurations of NetworkManager.
>
> The only reference here is https://bugzilla.redhat.com/show_bug.cgi?id=2484613
> but given that NM defaults to the internal DHCP client since ages and
> forky doesn't even include dhclient anymore, this seems really harmless
Agreed. I will close the bug report once a fix lands upstream (or will
close it if none is provided) but I don't plan any backports or stable
uploads.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20260608/1f5f3a17/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list