CVE-2026-31196 - Vulnerability Details

Description

The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.

Published: 2026-05-05

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway inserts unsanitized user input into a system() call, permitting authenticated remote attackers to execute arbitrary commands as root by supplying crafted destAddr parameters that use shell command substitution. This results in full attacker control over the device, compromising confidentiality, integrity, and availability of all services it provides.

Affected Systems

The vulnerability affects devices from ALTICE LABS / SFR France that expose the /bin/httpd_clientside path, specifically the GR140DG and GR140IG fibre CPE/Router/Gateway models. No specific firmware version information is provided; the flaw is present in any model utilizing the vulnerable traceroute handler.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the vulnerability permits authenticated remote attackers to execute arbitrary commands with root privileges via crafted destAddr parameters to the traceroute handler. Attackers with network access to the device can send shell metacharacter‑laden destAddr inputs to trigger system calls, giving them full control over the device’s confidentiality, integrity, and availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Altice

Gr140dg

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Altice

Gr140ig

—

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest firmware update provided by ALTICE LABS / SFR France that removes or sanitizes the vulnerable traceroute handler.
If no fix is available, disable the /bin/httpd_clientside traceroute service or block access to it through firewall or device configuration.
Restrict remote authentication to privileged users only, enforce strong password policies, and disable remote administration when not required.
Monitor device logs for unusually formatted destAddr inputs or unexpected system calls to detect attempted exploitation.

Generated by OpenCVE AI on May 6, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00233.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://altice.com
http://gr140dg.com
https://xerod.ai/advisories/XEROD-2026-0002

History

Wed, 06 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
Title	Traceroute Handler Permits Root Command Injection on ALTICE LABS Routers

Wed, 06 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 06 May 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Altice Altice gr140dg Altice gr140ig
Vendors & Products		Altice Altice gr140dg Altice gr140ig

Tue, 05 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		Traceroute Handler Permits Root Command Injection on ALTICE LABS Routers
Weaknesses		CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References		http://altice.com http://gr140dg.com https://xerod.ai/advisories/XEROD-2026-0002

Subscriptions

Altice Gr140dg Gr140ig

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-05T00:00:00.000Z

Updated: 2026-05-06T18:26:38.156Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31196

Vulnrichment

Updated: 2026-05-06T18:20:35.128Z

NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:11.290

Modified: 2026-05-07T15:15:06.770

Link: CVE-2026-31196

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T21:45:13Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object