#1139285 network-manager: CVE-2026-10805

Package:
src:network-manager
Source:
src:network-manager
Submitter:
Moritz Mühlenhoff
Date:
2026-06-08 15:41:01 UTC
Severity:
normal
Tags:
#1139285#5
Date:
2026-06-08 09:39:25 UTC
From:
To:
Hi,

The following vulnerability was published for network-manager.

CVE-2026-10805[0]:
| A flaw was found in NetworkManager. This local privilege escalation
| vulnerability exists in NetworkManager's dhclient backend when
| processing malformed Manufacturer Usage Description (MUD) URLs. A
| local user can exploit this flaw to escalate privileges by
| triggering a script via a crafted MUD URL, provided an administrator
| has explicitly configured NetworkManager to use dhclient. This issue
| does not affect default configurations of NetworkManager.

The only reference here is https://bugzilla.redhat.com/show_bug.cgi?id=2484613
but given that NM defaults to the internal DHCP client since ages and
forky doesn't even include dhclient anymore, this seems really harmless


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10805
https://www.cve.org/CVERecord?id=CVE-2026-10805

Please adjust the affected versions in the BTS as needed.
#1139285#10
Date:
2026-06-08 13:50:55 UTC
From:
To:
Hi Moritz

Am 08.06.26 um 11:39 schrieb Moritz Mühlenhoff:

Agreed. I will close the bug report once a fix lands upstream (or will
close it if none is provided) but I don't plan any backports or stable
uploads.
#1139285#15
Date:
2026-06-08 15:39:13 UTC
From:
To:
I agree, I'll mark is as ignored due to minimal impact for all existing older
suites.

Cheers,
        Moritz