CVE-2026-44941
Received Received - Intake

Relative Path Traversal in libzypp Repository Parsing

Vulnerability report for CVE-2026-44941, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: SUSE

Description

A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
suse libzypp to 17.38.12 (exc)
suse libzypp From 17.38.12 (inc)
suse opensuse_leap *
suse suse_linux_enterprise *
suse opensuse_tumbleweed *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44941 is a path traversal vulnerability in libzypp, a software library used by package management tools like zypper and YaST in SUSE-based systems.

The vulnerability arises from improper validation of the "keyhint" option in repomd.xml files, which allows an attacker who can supply a malicious repository to perform directory traversal.

By crafting a malicious repomd.xml with specially designed keyhint entries, an attacker can overwrite or inject files anywhere on the target system, including sensitive locations, with root privileges.

This can lead to root code execution when a user runs a routine repository refresh using zypper.

Impact Analysis

This vulnerability can have severe impacts including unauthorized root code execution on affected systems.

An attacker able to supply a malicious repository can exploit the path traversal flaw to overwrite critical system files such as /etc/ld.so.preload, potentially gaining persistent root access.

This compromises system integrity, confidentiality, and availability, allowing attackers to execute arbitrary code with the highest privileges.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or malicious repomd.xml files served by repositories, especially those containing suspicious "keyhint" entries with path traversal patterns.

One practical approach is to intercept and inspect HTTP repository traffic to check for repomd.xml files with keyhint values containing directory traversal characters such as "../".

You can use commands like curl or wget to fetch the repomd.xml from your configured repositories and then grep for suspicious keyhint entries.

  • curl -s <repository_url>/repodata/repomd.xml | grep -i keyhint
  • wget -qO- <repository_url>/repodata/repomd.xml | grep -i keyhint

Look for keyhint values that include path traversal sequences (e.g., "../") which indicate a potential exploit attempt.

Additionally, monitoring zypper refresh operations for unexpected root file modifications or unusual behavior can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update libzypp to version 17.38.12 or later, where the vulnerability has been fixed by validating and restricting the "keyhint" filenames to prevent directory traversal.

Ensure that all SUSE-based systems, including openSUSE Tumbleweed, SUSE Linux Enterprise, and openSUSE Leap, apply the security updates that address this issue.

Avoid using untrusted or malicious repositories that could serve crafted repomd.xml files with malicious keyhint entries.

If possible, monitor and restrict network traffic to trusted repository sources only.

Review repository configurations and remove or disable any suspicious or unknown repositories.

Compliance Impact

The vulnerability allows attackers to inject or overwrite files on the target system as root by exploiting a path traversal flaw in libzypp. This can lead to unauthorized root code execution and potential compromise of system integrity.

Such unauthorized access and control over system files can result in breaches of data confidentiality, integrity, and availability, which are critical requirements under common standards and regulations like GDPR and HIPAA.

If exploited, this vulnerability could lead to exposure or manipulation of sensitive personal or health data, thereby causing non-compliance with these regulations and potentially resulting in legal and financial consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart