Introduction
A rogue DHCP server on your local network segment could achieve root level code execution on any SUSE Linux Enterprise or openSUSE host running the wicked network configuration framework, simply by responding to a routine DHCP request with a crafted option value. CVE-2026-44932 exposes a classic but often overlooked attack surface: the trust boundary between network protocol data and shell evaluation contexts, this time in the DHCP client that ships as the default networking stack across SUSE's enterprise product line.
Wicked is SUSE's default network configuration framework, replacing the older sysconfig package for managing network interfaces on SUSE Linux Enterprise Server, SUSE Linux Enterprise Desktop, SLE Micro, and openSUSE distributions. It is developed under the openSUSE project on GitHub and is present on virtually every SUSE based system that uses DHCP for network configuration. The vulnerability carries a CVSS 3.1 score of 8.8 (High) and is classified under CWE-78 (OS Command Injection).
Technical Information
Root Cause: Unsanitized DHCP Option Strings in Leaseinfo Files
The vulnerability resides in the function __ni_leaseinfo_print_string() within wicked's src/leaseinfo.c. This function writes DHCP option values received from a DHCP server into files located at /run/wicked/leaseinfo.*, using a shell compatible KEY='value' format. Prior to version 0.6.79, the function used a naive pattern:
fprintf(out, "%s='%s'\n", ...);
This wraps values in single quotes without any validation or escaping of shell metacharacters. Any single quote character embedded in a DHCP server's response terminates the quoting context, allowing arbitrary content to be appended. Backticks, command separators (;), subshell invocations ($()), and other shell special characters also pass through unmodified.
DHCP options such as POSIXTZSTRING (option 100, per RFC 4833) and POSIXTZDBNAME (option 101) are string valued fields that an attacker can populate with arbitrary content. When a malicious DHCP server includes shell metacharacters in these fields, the resulting leaseinfo file contains syntactically broken shell variable assignments that, when sourced by a shell script, execute the injected commands.
The Exploitation Chain
The attack proceeds through four stages:
Stage 1: Attacker Positioning. The attacker must operate on the local or adjacent network, either by running a malicious DHCP server or by sending spoofed DHCP responses. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms that no privileges, authentication, or user interaction are required.
Stage 2: Malicious DHCP Response. When the wicked DHCP client (dhcp4 or dhcp6) requests network configuration, the attacker's server responds with DHCP options containing embedded shell metacharacters. A single quote in a timezone string value, for example, breaks out of the enclosing quotes in the leaseinfo file.
Stage 3: Unsanitized File Write. The __ni_leaseinfo_print_string() function writes these values verbatim into /run/wicked/leaseinfo.* files. The resulting file contains a line where the attacker controlled content has escaped the quoting context and can include arbitrary shell commands.
Stage 4: Indirect Execution. This is where the vulnerability becomes dangerous. Wicked itself does not source these leaseinfo files as shell scripts. However, third party scripts that do source them will execute the injected commands. The SUSE Bugzilla entry (bsc#1265221) specifically identifies dracut's network-legacy module, particularly its ifup.sh script used in SLE 15 SP7, as a consumer that inadvertently evaluates the unsanitized input. Because dracut operates during early boot and initrd initialization, the injected commands execute with root privileges.
The "Indirect" Nature of the Vulnerability
The classification as "indirect" command injection is significant. Wicked creates a latent attack surface by writing attacker controlled data into files that follow shell variable assignment conventions, but it never evaluates those files itself. The actual code execution depends entirely on downstream consumers. This indirectness makes the vulnerability harder to identify through code review of wicked alone and explains the divergence between the CVSS 3.1 score of 8.8 and the CVSS 4.0 score of 5.8 (which discounts secondary impacts). Organizations should prioritize based on the 8.8 score given the demonstrated real world exploitability of this pattern.
Historical Precedent: CVE-2018-1111 (DynoRoot)
CVE-2026-44932 closely parallels CVE-2018-1111 (DynoRoot), a DHCP command injection vulnerability in Red Hat Enterprise Linux 6 and 7 analyzed by Palo Alto Unit 42. In that case, dhclient requested the WPAD option (Code 252), and while dhclient initially sanitized values with backslashes, the 11-dhclient script's read command (without the -r flag) unescaped the characters, allowing an eval() statement to execute arbitrary commands with root privileges. A working Metasploit module (exploit/unix/dhcp/rhel_dhcp_client_command_injection) was developed for DynoRoot, demonstrating that this class of vulnerability is straightforwardly exploitable. Both vulnerabilities share the identical fundamental flaw: DHCP client data from an untrusted network source flows through insufficient sanitization into a shell evaluation context.
Patch Information
The definitive fix is updating to wicked version 0.6.79, released on June 15, 2026. The patch, authored by Marius Tomaschewski, spans 11 commits across 10 files and addresses the vulnerability through three complementary strategies.
Strategy 1: Proper Single Quote Escaping in Leaseinfo Output
The most critical change lands in src/leaseinfo.c, where a new function ni_leaseinfo_quote_string_value() was introduced. When it encounters a single quote, it closes the current quoted section, emits an escaped \', and reopens the quoted section. This is the standard POSIX safe approach to embedding literal single quotes within single quoted strings. An additional ni_check_printable() call acts as a secondary gate before any escaping is attempted.
Strategy 2: Stricter Input Validation for DHCP String Options
Rather than relying solely on output escaping, the patch also hardens the input path. A new generic utility function was added in src/util.c:
ni_bool_t ni_check_string_characters(const char *str, size_t len, int (*valid)(int)) { const unsigned char *ptr = (const unsigned char *)str; if (!str || len == 0) return FALSE; for ( ; *ptr && len-- > 0; ++ptr) { if (!valid(*ptr)) return FALSE; } return TRUE; }
This function accepts a custom character validation callback, which enabled three new specialized validators in src/dhcp.c:
ni_dhcp_check_printable_string(): allows printable characters and tab, but explicitly rejects single quote ('). This replaces the oldni_check_printable()in all DHCPv4 and DHCPv6 string option processing paths.ni_dhcp_check_posix_tzdbname(): whitelists only alphanumerics plus+,-,_, and/for timezone database names (e.g.,America/New_York), aligned with RFC 4833 and IEEE Std 1003.1-2024.ni_dhcp_check_posix_tzstring(): whitelists the character set required for POSIX TZ expanded format strings (e.g.,EST5EDT,M3.2.0,M11.1.0), permitting<,>,+,-,/,:,.,,and alphanumerics.
In src/dhcp4/protocol.c, the DHCP4_POSIX_TZ_STRING and DHCP4_POSIX_TZ_DBNAME cases were rerouted through dedicated parsing functions that apply the respective validators. Six call sites in src/dhcp6/protocol.c were similarly updated.
Strategy 3: Initrd Regeneration Trigger
Because wicked binaries may be embedded inside the system's initrd image, the RPM spec file (wicked.spec.in) was updated with %pre, %post, and %posttrans scriptlets that detect upgrades from wicked versions 0.6.78 or earlier and trigger an initrd regeneration. This ensures the vulnerable binary is not left in the boot image. A simple package update alone is insufficient if the initrd is not regenerated.
Applying the Patches
SUSE published four coordinated security advisories on June 10, 2026:
| Advisory ID | Affected Products | Fixed Package Version |
|---|---|---|
| SUSE-SU-2026:2349-1 | SLE 15 SP7 (Desktop, Real Time, Server, SAP), Basesystem Module 15 SP7 | 0.6.79-150700.3.3.1 |
| SUSE-SU-2026:2350-1 | SLES 12 SP5 LTSS | 0.6.79-2.23.1 |
| SUSE-SU-2026:2353-1 | SLE 15 SP5 (Server, LTSS, SAP, HPC), SLE Micro 5.5, openSUSE Leap 15.5 | 0.6.79-150500.3.21.1 |
| SUSE-SU-2026:2354-1 | SLE 15 SP4 (Server, LTSS, SAP), SLE Micro 5.3/5.4, openSUSE Leap 15.4 | 0.6.79-150400.3.39.1 |
For SLE 15 SP7, apply via: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2349=1. For other product lines, use zypper patch or YaST online_update.
Network Level Compensating Controls
While patching is the primary mitigation, the following controls reduce exposure: enable DHCP snooping on managed switches to block unauthorized DHCP responses; segment DHCP broadcast domains to limit the adjacent network attack surface; audit any custom scripts that source /run/wicked/leaseinfo.* files; and verify after patching that the initrd has been regenerated.
Detection Methods
Leaseinfo File Inspection (Host Based IoC)
The most direct way to detect active exploitation or past compromise is to examine the contents of /run/wicked/leaseinfo.* files on affected systems. In vulnerable versions (before 0.6.79), DHCP option values are written verbatim without escaping. Defenders should inspect all leaseinfo files for:
- Values containing unescaped single quotes (
'), which would break thekey='value'format and enable command injection - Shell metacharacters such as
;,|,$(), or backticks within any DHCP sourced fields - Unexpected commands or file paths embedded in option values like
POSIXTZSTRING,POSIXTZDBNAME, or any other string type DHCP parameters
Additionally, monitoring the outputs of wicked test dhcp4 and wicked test dhcp6 can surface suspicious DHCP responses before they reach leaseinfo files.
Side Effect Indicators
Because the injection occurs indirectly when a third party script sources the leaseinfo file, defenders should also look for unexpected side effects indicating a payload has executed. The Bugzilla report demonstrates a payload targeting /etc/shadow, so examples include unexpected permission changes on sensitive files, creation of unexpected files, or unexplained process executions running as root during network interface bring up or initrd initialization.
Package Version Checks
The most reliable way to identify vulnerable systems is to verify the installed wicked package version. All versions prior to 0.6.79 are affected. On SUSE/openSUSE systems, check via rpm -q wicked. The fixed version numbers by distribution:
- SLES/SLED 15 SP7:
wicked-0.6.79-150700.3.3.1 - SLES 15 SP4 LTSS:
wicked-0.6.79-150400.3.39.1 - SLES 15 SP5 LTSS:
wicked-0.6.79-150500.3.42.1 - SLES 12 SP5 LTSS:
wicked-0.6.79-3.56.1
Tenable Nessus Plugins
Tenable has released multiple Nessus plugins targeting this vulnerability, all published on June 14, 2026. These are local, package version based checks in the "SuSE Local Security Checks" family:
- Plugin ID 321025 (
suse_SU-2026-2349-1.nasl): Covers SUSE SLED15 / SLES15 - Additional plugins cover SUSE-SU-2026:2350-1 (SLES12), SUSE-SU-2026:2353-1 (SLES15 SP5), SUSE-SU-2026:2354-1 (openSUSE Leap 15.4/Micro 5.x), and openSUSE-SU-2026:20949-1 (openSUSE 16)
These plugins support Agentless Assessment, Continuous Assessment, Frictionless Assessment (AWS/Azure), Nessus Agent, and standard Nessus scanning. They rely on the application's self reported version number and do not perform active exploitation testing.
Network Level Detection
While no published Snort, Suricata, YARA, or Sigma rules currently exist for this CVE, monitoring for rogue DHCP servers is valuable. Specifically, watch for DHCP servers sending unusual values in option 100 (POSIX Timezone String) or option 101 (TZ Database Name). Any DHCP option values containing shell metacharacters or single quote characters in timezone related fields should be treated as highly suspicious, as legitimate values for these options are constrained to specific character sets defined in RFC 4833.
Affected Systems and Versions
All versions of wicked prior to 0.6.79 are vulnerable. The affected SUSE product lines, as covered by the four security advisories, include:
- SUSE Linux Enterprise Server 12 SP5 LTSS
- SUSE Linux Enterprise Server 15 SP4 LTSS and SLE 15 SP4 SAP
- SUSE Linux Enterprise Server 15 SP5 LTSS, SLE 15 SP5 SAP, and SLE 15 SP5 HPC
- SUSE Linux Enterprise Server 15 SP7 (Desktop, Real Time, Server, SAP), Basesystem Module 15 SP7
- SUSE Linux Enterprise Micro 5.3, 5.4, and 5.5
- openSUSE Leap 15.4 and 15.5
- openSUSE Leap 16.0 (fixed package version 0.6.79-bp160.1.1)
The vulnerability is particularly impactful on systems where dracut's network-legacy module is used (notably SLE 15 SP7), as this module's ifup.sh script sources the leaseinfo files and provides the indirect execution path for injected commands.
Vendor Security History
The recurrence of DHCP command injection vulnerabilities across Linux distributions is notable. CVE-2018-1111 (DynoRoot) affected RHEL's dhclient with the same fundamental pattern, and a Metasploit module was developed for it. SUSE's wicked now joins dhclient in the list of DHCP clients that have been vulnerable to this class of attack. Both CWE-78 classifications confirm this as a well understood and demonstrably exploitable weakness category.
SUSE's security response for this specific vulnerability was well executed. The issue was discovered internally by SUSE's own security personnel, the fix was developed and released concurrently across four product lines with specific patch commands and initrd regeneration triggers, and advisories were published ahead of the NVD entry. However, the vulnerability's existence in a core networking component across multiple SLE versions (12 SP5 through 15 SP7) and SLE Micro editions underscores the importance of comprehensive inventory and patching across all affected hosts.
References
- NVD: CVE-2026-44932
- SUSE Bugzilla: bsc#1265221
- Wicked Release 0.6.79 (GitHub)
- Wicked 0.6.78 to 0.6.79 Diff (GitHub)
- SUSE-SU-2026:2349-1 Advisory
- SUSE-SU-2026:2354-1 (sle-security-updates)
- SUSE-SU-2026:2353-1 (sle-security-updates)
- SUSE-SU-2026:2350-1 (sle-security-updates)
- SUSE-SU-2026:2349-1 (sle-security-updates)
- Mondoo: openSUSE-SU-2026:20949-1
- Tenable Nessus Plugin 321025
- Tenable: CVE-2026-44932
- Tenable Nessus Plugin 321010
- OSV: SUSE-SU-2026:2350-1
- Vulners: CVE-2026-44932
- Unit 42: Analysis of CVE-2018-1111 (DynoRoot)
- Rapid7: DHCP Client Command Injection (DynoRoot)
- CWE-78: OS Command Injection
- LinuxSecurity: SUSE 2026-2349-1 Advisory
- openSUSE/wicked GitHub Repository
- SUSE Security Flaw Remediation Process



