CVE-2026-10805: NetworkManager Local Privilege Escalation via Malformed MUD URL
NetworkManager, a widely used Linux network configuration utility, contains a local privilege escalation vulnerability in its dhclient backend. When processing specially crafted Manufacturer Usage Description (MUD) URLs, an authenticated local user can trigger malicious script execution to gain elevated system privileges. The vulnerability requires specific administrative configuration (non-default use of dhclient backend) and user interaction, limiting its scope but making it a meaningful risk for organizations using that backend.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10805 is a local privilege escalation vulnerability (CVSS 3.1 score 6.7, MEDIUM) affecting NetworkManager's dhclient backend. The flaw exists in MUD URL processing logic where insufficient input validation allows a local user (PR:L) with low complexity exploitation (AC:H) to craft a malformed URL that triggers arbitrary script execution. The vulnerability maps to CWE-78 (OS Command Injection), indicating improper neutralization of special elements used in an OS command. Exploitation requires user interaction (UI:R) but achieves high confidentiality, integrity, and availability impact when successful. The issue is confined to systems where administrators have explicitly selected dhclient as the backend; default NetworkManager deployments are not affected.
Business impact
Organizations running NetworkManager with non-default dhclient backend configuration face localized but severe risk. An authenticated local attacker—such as a standard user or service account with shell access—could escalate to root or system privileges, leading to complete system compromise, data exfiltration, or lateral movement to critical infrastructure. While impact is significant when exploitable, the requirement for non-default configuration limits enterprise exposure. However, organizations with heterogeneous Linux estates, legacy deployments, or deliberate dhclient use should assess exposure immediately.
Affected systems
This vulnerability affects NetworkManager installations where the dhclient backend is explicitly configured as the DHCP client. Default NetworkManager configurations (typically using internal DHCP handling or systemd-resolved) are unaffected. Systems most at risk include: legacy deployments maintaining dhclient for compatibility, environments with custom network policies enforcing dhclient, and embedded or specialized Linux systems where this configuration may be standard. The flaw does not affect NetworkManager versions or installations using alternative DHCP backends.
Exploitability
Exploitation requires local access and authenticated user status, making this a privilege escalation rather than remote attack vector. Attack complexity is rated as HIGH, reflecting the need to craft specific malformed MUD URL payloads and trigger their processing (user interaction required). However, once those prerequisites align—plausible in multi-user systems or container environments—the attack is deterministic. The attack surface is narrow (MUD URL processing in non-default configurations) but not theoretical; organizations using dhclient should treat this as practically exploitable within their threat model. No public exploit code or proof-of-concept is widely documented as of the publication date.
Remediation
Remediation centers on three approaches: (1) Apply patches from NetworkManager maintainers addressing MUD URL validation in the dhclient backend; (2) Disable or reconfigure the dhclient backend in favor of default DHCP handling if operationally feasible; (3) Restrict local user access on systems where dhclient backend is necessary, reducing the pool of potential attackers. Organizations unable to patch immediately should prioritize restricting non-administrative user accounts and monitoring for suspicious dhclient activity.
Patch guidance
Contact your Linux distribution vendor (Red Hat, Debian, Ubuntu, SUSE, etc.) or the NetworkManager project for patch availability. Verify patches are available for your specific NetworkManager version before planning deployment. Test patches in non-production environments to confirm compatibility with your dhclient configuration and network policies. Once patches are released, apply them as standard priority updates—MEDIUM CVSS score suggests phased deployment within normal change windows, though organizations with confirmed dhclient use should prioritize. Document the backend configuration before and after patching to ensure no regression.
Detection guidance
Monitor for malformed or suspicious MUD URL processing in NetworkManager logs and dhclient activity. On affected systems, look for: (1) Unexpected child process spawning from dhclient; (2) Failed or unusual script execution attempts linked to DHCP lease negotiation; (3) Privilege escalation events correlated with network reconfiguration; (4) Modification of MUD URL handling in NetworkManager config files. Use endpoint detection and response (EDR) tools to flag privilege escalation chains originating from network service processes. NetworkManager running with verbose logging can expose suspicious URL patterns—enable temporarily in test environments to understand normal baseline behavior.
Why prioritize this
Despite a MEDIUM CVSS score, this vulnerability merits prompt attention for organizations confirming dhclient backend use. The combination of local privilege escalation impact (high C/I/A ratings) and the realistic likelihood of exploitation in multi-tenant or developer environments elevates practical risk. The narrow scope (non-default configuration) prevents this from being enterprise-critical, but targeted assessment is essential. Prioritize organizations with: confirmed dhclient use, high local-user-access environments, or compliance requirements (containerized workloads, CI/CD systems). Organizations using default NetworkManager configurations can deprioritize pending confirmed patch release.
Risk score, explained
The CVSS 3.1 score of 6.7 (MEDIUM) reflects: local attack vector (no network access), high privileges required (authenticated user), high attack complexity (malformed URL crafting needed), user interaction required (triggering MUD processing), and high confidentiality/integrity/availability impact if successful. The score appropriately penalizes the local-only nature but acknowledges the severity of privilege escalation. However, real-world risk depends heavily on whether your environment uses the dhclient backend—if you do, treat this as higher priority than the base score alone suggests; if you don't, risk is negligible.
Frequently asked questions
Does this affect my system if I'm running a standard Ubuntu or Red Hat installation?
No, unless you or your administrator explicitly configured NetworkManager to use the dhclient backend. Most modern Linux distributions use NetworkManager's default DHCP handling or systemd-resolved. Check your NetworkManager configuration in /etc/NetworkManager/ or via `nmcli device show` to confirm which DHCP backend is active. If you see 'internal' or 'systemd-resolved', you are not affected.
What is a MUD URL and why is it a problem here?
A Manufacturer Usage Description (MUD) URL is a standard mechanism (RFC 8520) that lets IoT devices and network hardware describe their intended network communications to a network manager, improving security posture. The vulnerability exists because NetworkManager's dhclient backend doesn't properly validate the URL before processing it; an attacker can craft a malicious URL that, when processed, executes arbitrary commands with elevated privileges instead of safely fetching device behavior guidelines.
Can this be exploited remotely?
No. This is strictly a local privilege escalation. An attacker needs authenticated login access to the system (e.g., via SSH as a standard user, or as a service account). They cannot trigger it from across the network. However, in containerized environments, multi-tenant systems, or environments with permissive user access policies, this becomes more plausible.
Will patching break my network connectivity?
Patches address only the malformed URL handling logic and should not disrupt normal DHCP operation or MUD URL functionality when used legitimately. Test patches in a staging environment to confirm, but security patches at this scope rarely cause functional regression. If dhclient is critical to your network topology, however, always test before production deployment.
This analysis is based on information available as of the publication date (2026-06-04). Patch availability, exploitation proof-of-concept tools, and KEV status may have changed since publication; check vendor advisories and security feeds for the latest updates. The vulnerability does not affect default NetworkManager configurations; confirm your backend setting before allocation remediation resources. SEC.co provides this information for informational purposes to aid security decision-making and does not warrant completeness or applicability to your specific environment. Consult vendor documentation and internal threat modeling for final prioritization decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10279MEDIUMOS Command Injection in wezterm-mcp 0.1.0
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool