Description
Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.
Published: 2026-06-16
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unsanitized format validation bug that permits a locally authenticated user to execute arbitrary commands with superuser privileges, resulting in a local privilege escalation. The flaw is a classic format‑string exploit (CWE‑134) that allows the attacker to control how data is interpreted during a validation routine.

Affected Systems

The affected product is Nokia SR Linux. No specific firmware or package version data is included in the advisory, so any deployment of Nokia SR Linux that contains the vulnerable code is at risk.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, and the EPSS score of less than 1% implies a low likelihood of exploitation in the wild. The vulnerability requires local authentication, meaning an attacker must already have network or console access to the device. While it is not listed in the CISA KEV catalog, the potential to gain root access can lead to full compromise of the device, including data confidentiality, integrity, and availability. Due to the local nature of the attack vector, the risk is mitigated by network segmentation and strict access controls, but a patch is strongly recommended when available.

Generated by OpenCVE AI on June 16, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the vendor‑released patch or firmware update for Nokia SR Linux as soon as it is released.
  • Enforce least‑privilege user accounts and disable any unnecessary services that could expose the vulnerable code path.
  • Monitor system logs for unexpected format‑string activity or privilege escalations and investigate any anomalous command executions promptly.

Generated by OpenCVE AI on June 16, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-134
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.
Title An unsanitized format validation vulnerability in Nokia SR Linux
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Nokia

Published:

Updated: 2026-06-16T12:32:54.052Z

Reserved: 2025-09-11T08:45:07.544Z

Link: CVE-2025-10262

cve-icon Vulnrichment

Updated: 2026-06-16T12:31:01.714Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T06:16:57.063

Modified: 2026-06-16T15:26:04.250

Link: CVE-2025-10262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-134

    Use of Externally-Controlled Format String