CVE-2026-44942
Received Received - Intake
Path Traversal in libzypp Before 17.38.13

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: SUSE

Description
A path traversal in handling the "path" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-44942
EUVD
EUVD-2026-37871
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
suse libzypp to 16.22.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-24 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44942 is a path traversal vulnerability in libzypp, a software library used for package management in SUSE Linux systems.

The vulnerability arises from the handling of the "path" component in .repo files processed by libzypp before versions 17.38.13 (17.x series) and 16.22.19 (16.x series).

An attacker can exploit this flaw by crafting .repo files with a malicious "path" directive, allowing them to write files outside the intended zypp cache directory.

This means attackers could fill arbitrary system directories with content, potentially causing system issues.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact system availability by allowing attackers to write arbitrary files outside the zypp cache directory.

By filling system directories with unwanted content, it could lead to disk space exhaustion or disruption of normal system operations.

The CVSS v3.1 score of 6.5 indicates a medium severity, primarily affecting the availability of the system.

Mitigation Strategies

To mitigate the CVE-2026-44942 vulnerability, you should update libzypp to a fixed version. The vulnerability is addressed in libzypp versions 17.38.13 (for the 17.x series) and 16.22.19 (for the 16.x series).

SUSE has released security updates including SUSE-SU-2026:22073-1 and SUSE-SU-2026:22064-1, which include patches for affected products such as SUSE Linux Micro 6.0 and 6.1, SUSE Linux Enterprise, and openSUSE Tumbleweed.

Applying these updates and patches promptly will prevent attackers from exploiting the path traversal vulnerability in .repo files processed by libzypp.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart