Description
An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like:
* gain access to possible private information found in /var/lib/pcrlock.d
* manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.
*  overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.


This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.
Published: 2026-02-25
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Local privilege escalation and data integrity violation
Action: Immediate patch
AI Analysis

Impact

A flaw in openSUSE sdbootutil’s handling of temporary directories allows a local user to pre‑create a custom directory that is later used for system‑level operations. By doing so, the attacker can read sensitive data stored in /var/lib/pcrlock.d, corrupt backup data in /tmp/pcrlock.d.bak, or overwrite protected system files through symlinks. The vulnerability stems from an insecure temporary file design (CWE‑377) and can result in data integrity breaches or elevated privileges for the local account.

Affected Systems

The issue impacts all versions of the openSUSE sdbootutil utility earlier than commit 5880246d3a02642dc68f5c8cb474bf63cdb56bca. No specific version numbering is provided, so any installation of sdbootutil prior to this commit is vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity vulnerability. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers require local system access, meaning this flaw is primarily exploitable by users who already have login privileges. If successfully abused, an attacker can modify or replace protected files and compromise system integrity.

Generated by OpenCVE AI on April 17, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade openSUSE sdbootutil to a release that includes commit 5880246d3a02642dc68f5c8cb474bf63cdb56bca or later.
  • Remove or lock the temporary directories (/tmp/pcrlock.d.bak) that may be written to by non‑privileged users, or set stricter permissions so only the sdbootutil process can write there.
  • Audit and restore any modified files in /var/lib/pcrlock.d and /tmp/pcrlock.d.bak to ensure no tampering has occurred.

Generated by OpenCVE AI on April 17, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Insecure Temporary File Handling in openSUSE sdbootutil Enables Local Privilege Escalation

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Opensuse
Opensuse sdbootutil
Vendors & Products Opensuse
Opensuse sdbootutil

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored. *  overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak. This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.
Weaknesses CWE-377
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opensuse Sdbootutil
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-02-25T20:50:09.650Z

Reserved: 2026-02-05T15:37:24.183Z

Link: CVE-2026-25701

cve-icon Vulnrichment

Updated: 2026-02-25T20:50:03.844Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T12:16:17.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses