Description
`PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges.
Published: 2026-05-20
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when the PluginScript in libzypp attempts to chroot the plugin environment to the value of repoManagerRoot. When this target is the system root '/'—which is common in default configurations or when the --root flag is used—the chroot operation becomes a no‑op. This allows an attacker to traverse the file system and execute arbitrary host binaries such as /bin/bash with root privileges, effectively enabling remote code execution and privilege escalation.

Affected Systems

SUSE Linux Enterprise and openSUSE systems that use libzypp. No specific version details are provided in the CNA data; administrators should ensure any distribution using libzypp is assessed for this issue.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. Because no EPSS score is available, the current exploitation probability is unknown, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local, involving the ability to load or influence plugin scripts that run under libzypp; however, the formal data does not specify whether remote trigger is possible, so the assessment assumes local privilege escalation potential.

Generated by OpenCVE AI on May 20, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libzypp to the latest SUSE package that contains the security fix for CVE-2026-44933.
  • If a patch is not yet available, reconfigure libzypp to set repoManagerRoot to a directory other than the system root and avoid using the --root option with '/'.
  • Review and tighten plugin scripts to enforce path validation, rejecting any paths that resolve to '/' before the chroot operation.

Generated by OpenCVE AI on May 20, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges.
Title Path Traversal in Plugin Loading in libzypp
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-05-20T12:18:50.304Z

Reserved: 2026-05-08T12:29:48.966Z

Link: CVE-2026-44933

cve-icon Vulnrichment

Updated: 2026-05-20T12:18:42.731Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T10:16:28.453

Modified: 2026-05-20T14:01:24.027

Link: CVE-2026-44933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses