Unvalidated DHCP strings in wicked <0.6.79 dhcp client
CVE-2026-44932 Published on June 16, 2026

indirect remote shell command injection via unsanitized DHCP options in wicked
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2026-44932 has been classified to as a Shell injection vulnerability or weakness.

Affected Versions

SUSE wicked:

Before 0.6.79 is affected.

Exploit Probability

EPSS

0.49%

Percentile

38.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Unvalidated DHCP strings in wicked <0.6.79 dhcp clientCVE-2026-44932 Published on June 16, 2026

Vulnerability Analysis

Weakness Type

What is a Shell injection Vulnerability?

Affected Versions

Exploit Probability

Unvalidated DHCP strings in wicked <0.6.79 dhcp client
CVE-2026-44932 Published on June 16, 2026