{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23857", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2026-01-16T18:05:07.319Z", "datePublished": "2026-02-12T02:05:31.927Z", "dateUpdated": "2026-02-26T14:44:21.920Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Update Package", "vendor": "Dell", "versions": [{"status": "affected", "version": "25.02.00", "versionType": "semver"}]}], "datePublic": "2026-02-10T18:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.<br>"}], "value": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-12T02:05:31.927Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000426781/dsa-2026-081-security-update-for-dell-update-package-dup-framework-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-13T04:56:34.141864Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:21.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-13T04:56:34.141864Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:33:28.016Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "Update Package", "versions": [{"status": "affected", "version": "25.02.00", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-10T18:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000426781/dsa-2026-081-security-update-for-dell-update-package-dup-framework-vulnerability", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.", "supportingMedia": [{"type": "text/html", "value": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-280", "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2026-02-12T02:05:31.927Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23857", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:21.920Z", "dateReserved": "2026-01-16T18:05:07.319Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2026-02-12T02:05:31.927Z", "assignerShortName": "dell"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:update_package_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA606C82-5DDD-4677-A640-C7BA6D1F7644", "versionEndExcluding": "25.02.00", "versionStartIncluding": "23.12.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Update Package (DUP) Framework, versions 23.12.00 through 24.12.00, contains an Improper Handling of Insufficient Permissions or Privileges vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges."}, {"lang": "es", "value": "El Framework de Dell Update Package (DUP), versiones 23.12.00 a 24.12.00, contiene una vulnerabilidad de manejo inadecuado de permisos o privilegios insuficientes. Un atacante con privilegios bajos con acceso local podr\u00eda potencialmente explotar esta vulnerabilidad, lo que lleva a una elevaci\u00f3n de privilegios."}], "id": "CVE-2026-23857", "lastModified": "2026-02-18T19:33:06.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2026-02-12T03:15:47.003", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000426781/dsa-2026-081-security-update-for-dell-update-package-dup-framework-vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "security_alert@emc.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "25.02.00"}}], "product": "update_package", "vendor": "dell"}], "analysis": {"en": {"generated_at": "2026-04-17T20:07:29.468252+00:00", "value": {"mitigation_remediation": ["Install the Dell security update DSA-2026-081 for the Update Package Framework, which resolves the privilege escalation issue.", "Limit local user accounts to only those explicitly authorized for system maintenance and monitoring for unauthorized accounts.", "Enforce strict file permission checks on the update package components to prevent unauthorized write or execution by non-administrative users."], "summary": {"action": "Patch Request", "impact": "Elevation of Privileges"}, "threat_synthesis": {"affected_systems": "Dell Update Package (DUP) Framework; versions 23.12.00 through 24.12.00 are affected. These versions are used in Dell systems to apply firmware and driver updates. The issue does not appear in earlier or later releases not listed here.", "description_and_impact": "The Dell Update Package Framework contains an improper handling of insufficient permissions or privileges that can be abused to elevate a low privileged local attacker to higher system rights. The weakness allows a local user with limited rights to bypass security checks when executing the framework, which is classified as CWE-280. Unchecked privileges can lead to full system compromise and unrestricted access to data and services.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.2 indicating a high severity impact. However, the EPSS score is below 1%, suggesting that exploitation is unlikely in the wild at this time. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector is inferred to be local, requiring an attacker to have some level of local access but not administrative rights. Once the local user exploits the permission flaw, they can gain elevated privileges and potentially gain full control of the affected system."}}}}, "created": "2026-02-12T09:02:04.747470+00:00", "title": "Improper Handling of Insufficient Permissions in Dell Update Package Framework", "updated": "2026-04-17T20:15:26.998996+00:00", "vendors": ["dell", "dell$PRODUCT$update_package"]}