2484613 – (CVE-2026-10805) CVE-2026-10805 NetworkManager: NetworkManager: Local privilege escalation via malformed MUD URLs in dhclient backend

Bug 2484613 (CVE-2026-10805) - CVE-2026-10805 NetworkManager: NetworkManager: Local privilege escalation via malformed MUD URLs in dhclient backend

Summary: CVE-2026-10805 NetworkManager: NetworkManager: Local privilege escalation via...

Keywords:
Status:	NEW
Alias:	CVE-2026-10805
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-04 05:12 UTC by OSIDB Bzimport
Modified:	2026-06-04 05:21 UTC (History)
CC List:	32 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-04 05:12:04 UTC

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
asoldano
bbaranow
bmaxwell
bstansbe
crizzo
dlofthou
gparvin
istudens
ivassile
iweiss
jbalunas
jmitchel
kshier
mosmerov
msvehla
nwallace
pahickey
pberan
pbohmill
pesilva
pjindal
pmackay
rhaigner
rhel-process-autobot
rstancel
security-response-team
smaestri
teagle
thjenkin
vdosoudi
watson-tool-maintainers