{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25701", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-02-05T15:37:24.183Z", "datePublished": "2026-02-25T10:59:58.372Z", "dateUpdated": "2026-02-25T20:50:09.650Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "sdbootutil", "product": "sdbootutil", "vendor": "openSUSE", "versions": [{"lessThan": "5880246d3a02642dc68f5c8cb474bf63cdb56bca", "status": "affected", "version": "?", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Matthias Gerstner of SUSE"}], "datePublic": "2026-02-18T08:18:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to&nbsp;pre-create a directory to achieve various effects like:<br><ul><li>gain access to possible private information found in /var/lib/pcrlock.d</li><li>manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.</li><li>&nbsp;overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.</li></ul><p>This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.</p>"}], "value": "An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to\u00a0pre-create a directory to achieve various effects like:\n * gain access to possible private information found in /var/lib/pcrlock.d\n * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.\n * \u00a0overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.\n\n\nThis issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-377", "description": "CWE-377: Insecure Temporary File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-02-25T10:59:58.372Z"}, "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1258241"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T20:49:57.200219Z", "id": "CVE-2026-25701", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:50:09.650Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25701", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T20:49:57.200219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T20:50:03.844Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Matthias Gerstner of SUSE"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "openSUSE", "product": "sdbootutil", "versions": [{"status": "affected", "version": "?", "lessThan": "5880246d3a02642dc68f5c8cb474bf63cdb56bca", "versionType": "git"}], "packageName": "sdbootutil", "defaultStatus": "unaffected"}], "datePublic": "2026-02-18T08:18:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=1258241"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to\u00a0pre-create a directory to achieve various effects like:\n * gain access to possible private information found in /var/lib/pcrlock.d\n * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.\n * \u00a0overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.\n\n\nThis issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.", "supportingMedia": [{"type": "text/html", "value": "An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to&nbsp;pre-create a directory to achieve various effects like:<br><ul><li>gain access to possible private information found in /var/lib/pcrlock.d</li><li>manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.</li><li>&nbsp;overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.</li></ul><p>This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-377", "description": "CWE-377: Insecure Temporary File"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-02-25T10:59:58.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25701", "state": "PUBLISHED", "dateUpdated": "2026-02-25T20:50:09.650Z", "dateReserved": "2026-02-05T15:37:24.183Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2026-02-25T10:59:58.372Z", "assignerShortName": "suse"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to\u00a0pre-create a directory to achieve various effects like:\n * gain access to possible private information found in /var/lib/pcrlock.d\n * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.\n * \u00a0overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak.\n\n\nThis issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca."}, {"lang": "es", "value": "Una vulnerabilidad de archivo temporal inseguro en openSUSE sdbootutil permite a los usuarios locales pre-crear un directorio para lograr varios efectos como:\n * obtener acceso a posible informaci\u00f3n privada encontrada en /var/lib/pcrlock.d\n * manipular los datos respaldados en /tmp/pcrlock.d.bak, violando as\u00ed la integridad de los datos en caso de que se restauren.\n * sobrescribir archivos de sistema protegidos con datos de /var/lib/pcrlock.d colocando enlaces simb\u00f3licos a archivos existentes en el \u00e1rbol de directorios en /tmp/pcrlock.d.bak.\n\nEste problema afecta a sdbootutil: desde ? antes de 5880246d3a02642dc68f5c8cb474bf63cdb56bca."}], "id": "CVE-2026-25701", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2026-02-25T12:16:17.763", "references": [{"source": "meissner@suse.de", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1258241"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-377"}], "source": "meissner@suse.de", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[?,5880246d3a02642dc68f5c8cb474bf63cdb56bca)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "sdbootutil", "vendor": "opensuse"}], "analysis": {"en": {"generated_at": "2026-04-17T15:19:14.706482+00:00", "value": {"mitigation_remediation": ["Upgrade openSUSE sdbootutil to a release that includes commit 5880246d3a02642dc68f5c8cb474bf63cdb56bca or later.", "Remove or lock the temporary directories (/tmp/pcrlock.d.bak) that may be written to by non\u2011privileged users, or set stricter permissions so only the sdbootutil process can write there.", "Audit and restore any modified files in /var/lib/pcrlock.d and /tmp/pcrlock.d.bak to ensure no tampering has occurred."], "summary": {"action": "Immediate patch", "impact": "Local privilege escalation and data integrity violation"}, "threat_synthesis": {"affected_systems": "The issue impacts all versions of the openSUSE sdbootutil utility earlier than commit 5880246d3a02642dc68f5c8cb474bf63cdb56bca. No specific version numbering is provided, so any installation of sdbootutil prior to this commit is vulnerable.", "description_and_impact": "A flaw in openSUSE sdbootutil\u2019s handling of temporary directories allows a local user to pre\u2011create a custom directory that is later used for system\u2011level operations. By doing so, the attacker can read sensitive data stored in /var/lib/pcrlock.d, corrupt backup data in /tmp/pcrlock.d.bak, or overwrite protected system files through symlinks. The vulnerability stems from an insecure temporary file design (CWE\u2011377) and can result in data integrity breaches or elevated privileges for the local account.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a high severity vulnerability. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers require local system access, meaning this flaw is primarily exploitable by users who already have login privileges. If successfully abused, an attacker can modify or replace protected files and compromise system integrity."}}}}, "created": "2026-02-26T13:18:10.404489+00:00", "title": "Insecure Temporary File Handling in openSUSE sdbootutil Enables Local Privilege Escalation", "updated": "2026-04-17T15:30:06.019767+00:00", "vendors": ["opensuse", "opensuse$PRODUCT$sdbootutil"]}