CVE-2026-10805 MEDIUM

CVE-2026-10805: Networkmanager: networkmanager: local privilege escalation via malformed mud urls in dhclient backend

Vendor Red Hat
Product Multicluster Engine for Kubernetes
Weakness CWE-78
Published June 4, 2026
Last update July 2, 2026

CVSS base score

6.7/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
July 2, 2026 Record updated