CVE-2026-44932
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution in wicked DHCP Client

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: SUSE

Description
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-44932
EUVD
EUVD-2026-37127
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
wicked wicked 0.6.79
suse wicked 0.6.79
suse wicked *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44932 is a security vulnerability in the wicked network configuration tool that arises from the improper handling of unsanitized DHCP reply strings. Specifically, wicked writes DHCP options containing unsanitized strings, including single-quotes, into leaseinfo files without proper escaping or validation.

Attackers operating a malicious DHCP server can exploit this by sending crafted DHCP responses containing shell metacharacters. When third-party scripts source these leaseinfo files, the malicious strings can lead to indirect remote shell command injection, allowing execution of arbitrary commands on the local machine.

The vulnerability affects commands like `wicked test dhcp4` and `wicked test dhcp6` which write data to leaseinfo files used later by other components. The issue was fixed in wicked version 0.6.79 by properly escaping single-quotes and discarding string values containing them in DHCP options, along with stricter validation of certain DHCP options to comply with RFC4833.

Impact Analysis

This vulnerability can allow an attacker on the local or adjacent network to execute arbitrary shell commands on your machine by sending malicious DHCP responses.

If exploited, attackers could gain unauthorized access, potentially with elevated privileges, leading to remote code execution, modification of critical system files, or full system compromise.

The impact is severe as it affects core network configuration components and can be triggered without user interaction, making it a high-risk security issue.

Detection Guidance

The vulnerability involves unsanitized DHCP options being written to leaseinfo files and can be detected by using the wicked test commands that process DHCP replies.

  • Use the command `wicked test dhcp4` to test DHCPv4 lease information handling.
  • Use the command `wicked test dhcp6` to test DHCPv6 lease information handling.

These commands help identify if unsanitized strings with potentially malicious content are being processed, as the vulnerability arises from improper handling of single-quotes in leaseinfo dump output.

Mitigation Strategies

To mitigate this vulnerability, you should immediately apply the security update that fixes the issue by upgrading wicked to version 0.6.79 or later.

  • Use YaST online_update or run `zypper patch` to install the updated wicked package.
  • If updating from versions earlier than 0.6.79, regenerate your initrd as it may contain vulnerable wicked binaries.

The update includes proper escaping of single-quotes in leaseinfo dump output and stricter validation of DHCP options to prevent command injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44932. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart