On Mon, Jun 08, 2026 at 03:50:55PM +0200, Michael Biebl wrote:
> Hi Moritz
>
> Am 08.06.26 um 11:39 schrieb Moritz Mühlenhoff:
> > Source: network-manager
> > X-Debbugs-CC: [email protected]
> > Severity: normal
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for network-manager.
> >
> > CVE-2026-10805[0]:
> > | A flaw was found in NetworkManager. This local privilege escalation
> > | vulnerability exists in NetworkManager's dhclient backend when
> > | processing malformed Manufacturer Usage Description (MUD) URLs. A
> > | local user can exploit this flaw to escalate privileges by
> > | triggering a script via a crafted MUD URL, provided an administrator
> > | has explicitly configured NetworkManager to use dhclient. This issue
> > | does not affect default configurations of NetworkManager.
> >
> > The only reference here is
> > https://bugzilla.redhat.com/show_bug.cgi?id=2484613
> > but given that NM defaults to the internal DHCP client since ages and
> > forky doesn't even include dhclient anymore, this seems really harmless
>
> Agreed. I will close the bug report once a fix lands upstream (or will close
> it if none is provided) but I don't plan any backports or stable uploads.
I agree, I'll mark is as ignored due to minimal impact for all existing older
suites.
Cheers,
Moritz
