Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10805

CVE-2026-10805: NetworkManager Privilege Escalation Flaw

CVE-2026-10805 is a local privilege escalation vulnerability in NetworkManager's dhclient backend involving malformed MUD URLs. Attackers can exploit this to gain elevated privileges. Learn about technical details, affected systems, and mitigation.

Published:

CVE-2026-10805 Overview

A local privilege escalation flaw exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can trigger script execution through a crafted MUD URL, escalating privileges on the host. Exploitation requires that an administrator has explicitly configured NetworkManager to use the dhclient backend. The default NetworkManager configuration is not affected. The flaw is categorized under [CWE-78] OS Command Injection.

Critical Impact

Authenticated local users can escalate to elevated privileges on systems where NetworkManager has been reconfigured to use the dhclient backend, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • NetworkManager (when configured to use the dhclient DHCP backend)
  • Red Hat distributions shipping the affected NetworkManager package (see Red Hat CVE-2026-10805 Advisory)
  • Downstream Linux distributions packaging the vulnerable NetworkManager release

Discovery Timeline

  • 2026-06-04 - CVE-2026-10805 published to NVD
  • 2026-06-04 - Last updated in NVD database

Technical Details for CVE-2026-10805

Vulnerability Analysis

NetworkManager integrates with dhclient to obtain DHCP leases and parse extended DHCP options. One such option is the Manufacturer Usage Description (MUD) URL, defined by RFC 8520, which identifies device-specific access policies. NetworkManager's dhclient backend does not properly sanitize the MUD URL value before passing it through shell-invoked helper scripts. A locally authenticated user controlling a DHCP response, or otherwise able to influence the MUD URL field consumed by dhclient, can inject shell metacharacters that execute as the elevated user running the script. The flaw is classified as OS Command Injection [CWE-78].

Root Cause

The root cause is missing input validation on the MUD URL string within the dhclient integration path. Malformed values containing shell control characters are passed unescaped to a script interpreter, allowing arbitrary command execution under the script's privilege context.

Attack Vector

The attack requires local access, low privileges, and user interaction, and depends on a non-default administrative configuration that selects dhclient as the DHCP backend. The attacker supplies a crafted MUD URL that is processed by NetworkManager during a DHCP event. When the helper script consumes the malformed URL, the embedded payload executes with the script's privileges, enabling privilege escalation.

No verified public exploit code is available for CVE-2026-10805. Refer to the Red Hat Bug Report #2484613 for additional technical details.

Detection Methods for CVE-2026-10805

Indicators of Compromise

  • Unexpected child processes spawned by dhclient or NetworkManager helper scripts such as /etc/NetworkManager/dispatcher.d/ entries
  • DHCP lease files or logs containing MUD URL values with shell metacharacters such as ;, |, `, or $(
  • Privileged shell sessions or new accounts created shortly after a DHCP lease renewal event

Detection Strategies

  • Audit NetworkManager configuration for dhcp=dhclient in /etc/NetworkManager/NetworkManager.conf and flag hosts deviating from the default internal backend
  • Monitor process lineage for dhclient or NetworkManager parent processes executing shells, interpreters, or user-management binaries
  • Inspect journalctl -u NetworkManager and /var/log/messages for malformed DHCP option 161 (MUD URL) values

Monitoring Recommendations

  • Enable auditd rules covering execve events whose parent is dhclient or a NetworkManager dispatcher script
  • Alert on writes to /etc/passwd, /etc/shadow, or /etc/sudoers.d/ correlated with DHCP lease events
  • Centralize NetworkManager and DHCP logs to a SIEM for cross-host correlation of suspicious MUD URL patterns

How to Mitigate CVE-2026-10805

Immediate Actions Required

  • Inventory all Linux hosts and identify systems where administrators have set NetworkManager to use the dhclient backend
  • Revert to the default internal DHCP backend on affected hosts until a patched NetworkManager package is installed
  • Restrict local logon and untrusted DHCP servers on network segments that include vulnerable hosts

Patch Information

Apply the vendor-supplied NetworkManager update once available. Track the patch status through the Red Hat CVE-2026-10805 Advisory and the corresponding distribution security trackers for Fedora, CentOS Stream, and other downstream consumers.

Workarounds

  • Set dhcp=internal in /etc/NetworkManager/NetworkManager.conf and reload NetworkManager to disable the vulnerable dhclient code path
  • Remove or restrict execute permissions on custom dispatcher scripts that consume the MUD URL value
  • Block untrusted DHCP servers at the network layer using DHCP snooping or equivalent controls
bash
# Configuration example: force NetworkManager to use the internal DHCP client
sudo sed -i 's/^dhcp=dhclient/dhcp=internal/' /etc/NetworkManager/NetworkManager.conf
sudo systemctl restart NetworkManager
NetworkManager --print-config | grep '^dhcp='

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.