CVE-2026-44932
indirect remote shell command injection via unsanitized DHCP options in wicked
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
| CWE | CWE-78 |
| Vendor | suse |
| Product | wicked |
| Published | Jun 16, 2026 |
| Last Updated | Jun 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for suse wicked
Be the first to know when new high vulnerabilities affecting suse wicked are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
SUSE / wicked
0 < 0.6.79
References
bugzilla.suse.com: https://bugzilla.suse.com/show_bug.cgi?id=1265221 github.com: https://github.com/openSUSE/wicked/releases/tag/version-0.6.79 lists.suse.com: https://lists.suse.com/pipermail/sle-security-updates/2026-June/026688.html lists.suse.com: https://lists.suse.com/pipermail/sle-security-updates/2026-June/026689.html lists.suse.com: https://lists.suse.com/pipermail/sle-security-updates/2026-June/026690.html lists.suse.com: https://lists.suse.com/pipermail/sle-security-updates/2026-June/026691.html
Credits
Wolfgang Frisch using Claude Opus