Path Traversal in libzypp <17.38.13 / 16.22.19: CVE-2026-44942 June 2026

libzypp .repo files can have an optional path which can lead to path traversal attacks
A path traversal in handling the "path" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.

Vulnerability Analysis

CVE-2026-44942 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Weakness Type

Path Traversal: '../filedir'

The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

Path Traversal in libzypp <17.38.13 / 16.22.19
CVE-2026-44942 Published on June 18, 2026

Vulnerability Analysis

Weakness Type

Path Traversal: '../filedir'

Affected Versions

Path Traversal in libzypp <17.38.13 / 16.22.19CVE-2026-44942 Published on June 18, 2026

Vulnerability Analysis

Weakness Type

Path Traversal: '../filedir'

Affected Versions

Path Traversal in libzypp <17.38.13 / 16.22.19
CVE-2026-44942 Published on June 18, 2026