HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44932Published Modified CNA suse

CVE-2026-44932: indirect remote shell command injection via unsanitized DHCP options in wicked

Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
0.6.79
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a remote shell command injection vulnerability in wicked, the SUSE network configuration service and DHCP client, affecting all versions before 0.6.79. An attacker operating a malicious DHCP server on the same network segment can send crafted DHCP reply options that wicked passes unsanitized to shell commands, requiring no authentication and no interaction from the victim. Successful exploitation gives the attacker code execution on the affected host with the privileges of the wicked process. A patched-image rebuild at version 0.6.79 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-44932 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle wicked. Any image shipping wicked older than 0.6.79 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 HIGH (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is capable of weighting that score against each customer environment's compliance policy to prioritize findings. Routed alerts can be directed to the appropriate team inbox within each customer organization based on registry, namespace, or policy group configuration.

Available
Patch

A patched-image rebuild at wicked 0.6.79 becomes available on HarborGuard once an affected image is detected. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be present on the same adjacent network, LAN, or VPN segment as the target, positioned to serve DHCP replies to the victim host; remote internet-based exploitation is not possible directly.

  • AuthenticationNot required

    No credentials or prior account access are needed; the attacker only needs to operate a DHCP server on the adjacent network.

  • Victim interactionNot required

    No action by the victim is required; exploitation occurs automatically when the host requests or renews a DHCP lease.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions or unusual environmental factors need to be satisfied beyond controlling a DHCP server on the local segment.

Blast Radius

  • The attacker executes arbitrary shell commands on the target host with the privileges of the wicked process.
  • All data accessible to that process, including network credentials and configuration secrets stored on disk, is readable by the attacker.
  • The attacker can modify network interface configuration, routing tables, and DNS resolver settings, redirecting or intercepting host traffic.
  • The wicked service and dependent networking functionality can be crashed or disabled, cutting the host off from network connectivity.

How HarborGuard Handles This

Available on HarborGuard: any image containing wicked older than 0.6.79 is matchable against this CVE within minutes of the advisory entering upstream feeds, covering images pulled from external registries and images built internally. Where compliance policy permits, the patched rebuild at 0.6.79 can be generated automatically; customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads. For environments where auto-remediation requires manual approval, the pending rebuild is surfaced in the HarborGuard dashboard with the CVSS 8.8 HIGH score and policy-weighted priority. Given the adjacent-network attack surface, teams that cannot patch immediately should consider isolating affected hosts behind network policy controls that restrict untrusted DHCP sources, for example by enforcing DHCP snooping at the switch layer or binding hosts to a known DHCP server via network policy, until the patched image is deployed.

See how HarborGuard automates this

Fix available

0.6.79
Affected packages
  • SUSE / wicked
    < 0.6.79 (from 0)
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References