Description
A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.
Published: 2026-06-04
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local user can trigger a privilege escalation by sending or using a malformed Manufacturer Usage Description (MUD) URL that is processed by NetworkManager’s dhclient backend. The malformed URL causes the backend to execute a script, allowing the attacker to gain root privileges on the host. This flaw is an instance of OS Command Injection (CWE-78).

Affected Systems

Red Hat Red Hat Enterprise Linux 6, 7, 8, 9, 10; Red Hat Multicluster Engine for Kubernetes; Red Hat JBoss Enterprise Application Platform Expansion Pack; Red Hat OpenShift Container Platform 4. The default configuration of NetworkManager on these systems does not enable the dhclient backend, so an administrator must have explicitly changed the configuration.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, implying there is no publicly known exploit known to be in use. The attack requires a local user who can trigger the MUD URL and must have an environment where NetworkManager is configured to use dhclient; if those conditions are met, the attacker can elevate privileges to root. The likely vector is local, native to the system, and would require local execution of a crafted MUD URL or a similar input.

Generated by OpenCVE AI on June 4, 2026 at 06:20 UTC.

Remediation

Vendor Workaround

To prevent exploitation, ensure NetworkManager is not configured to use the `dhclient` backend. The default configuration on Red Hat Enterprise Linux does not enable `dhclient`. If a custom configuration file, such as `/etc/NetworkManager/conf.d/00-dhcp.conf`, contains `[main] dhcp=dhclient`, remove or comment out this line. After modifying the configuration, restart the NetworkManager service: `sudo systemctl restart NetworkManager` Warning: Restarting the NetworkManager service will temporarily disrupt network connectivity.

OpenCVE Recommended Actions

  • Ensure NetworkManager is not configured to use the dhclient backend by removing or commenting out the line "dhcp=dhclient" in any custom configuration file such as /etc/NetworkManager/conf.d/00-dhcp.conf
  • Restart the NetworkManager service with "sudo systemctl restart NetworkManager", noting that this will temporarily interrupt network connectivity
  • Verify that no custom NetworkManager configurations enable the dhclient backend and confirm all system packages are up-to-date or patched against this vulnerability

Generated by OpenCVE AI on June 4, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.
Title Networkmanager: networkmanager: local privilege escalation via malformed mud urls in dhclient backend
First Time appeared Redhat
Redhat enterprise Linux
Redhat jbosseapxp
Redhat multicluster Engine
Redhat openshift
Weaknesses CWE-78
CPEs cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:multicluster_engine
cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jbosseapxp
Redhat multicluster Engine
Redhat openshift
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Enterprise Linux Jbosseapxp Multicluster Engine Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-04T05:21:34.080Z

Reserved: 2026-06-04T05:10:00.738Z

Link: CVE-2026-10805

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T06:16:21.780

Modified: 2026-06-04T06:16:21.780

Link: CVE-2026-10805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T06:30:07Z

Weaknesses