NIXPKGS-2026-0010 published on 13 Jan 2026 CVE-2025-14946 updated 1 week, 2 days ago by @LeSuisse Activity log Created automatic suggestion 1 week, 6 days ago @LeSuisse removed 3 packages ocamlPackages.nbd python312Packages.libnbd python313Packages.libnbd 1 week, 2 days ago @LeSuisse removed maintainer @akshatagarwl 1 week, 2 days ago @LeSuisse accepted as draft 1 week, 2 days ago @LeSuisse published on GitHub 1 week, 2 days ago Libnbd: libnbd: arbitrary code execution via ssh argument injection through a malicious uri A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. Affected products libnbd <1.23.9 <1.22.5 virt:rhel/libnbd container-native-virtualization/virt-cdi-cloner container-native-virtualization/virt-cdi-importer container-native-virtualization/virt-cdi-operator container-native-virtualization/virt-cdi-apiserver container-native-virtualization/virt-cdi-controller container-native-virtualization/virt-cdi-uploadproxy container-native-virtualization/virt-cdi-cloner-rhel9 container-native-virtualization/virt-cdi-uploadserver container-native-virtualization/virt-cdi-importer-rhel9 container-native-virtualization/virt-cdi-operator-rhel9 container-native-virtualization/virt-cdi-apiserver-rhel9 container-native-virtualization/virt-cdi-controller-rhel9 container-native-virtualization/virt-cdi-uploadproxy-rhel9 container-native-virtualization/virt-cdi-uploadserver-rhel9 Matching in nixpkgs pkgs.libnbd Network Block Device client library in userspace nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1
CVE-2025-14946 updated 1 week, 2 days ago by @LeSuisse Activity log Created automatic suggestion 1 week, 6 days ago @LeSuisse removed 3 packages ocamlPackages.nbd python312Packages.libnbd python313Packages.libnbd 1 week, 2 days ago @LeSuisse removed maintainer @akshatagarwl 1 week, 2 days ago @LeSuisse accepted as draft 1 week, 2 days ago @LeSuisse published on GitHub 1 week, 2 days ago Libnbd: libnbd: arbitrary code execution via ssh argument injection through a malicious uri A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd. Affected products libnbd <1.23.9 <1.22.5 virt:rhel/libnbd container-native-virtualization/virt-cdi-cloner container-native-virtualization/virt-cdi-importer container-native-virtualization/virt-cdi-operator container-native-virtualization/virt-cdi-apiserver container-native-virtualization/virt-cdi-controller container-native-virtualization/virt-cdi-uploadproxy container-native-virtualization/virt-cdi-cloner-rhel9 container-native-virtualization/virt-cdi-uploadserver container-native-virtualization/virt-cdi-importer-rhel9 container-native-virtualization/virt-cdi-operator-rhel9 container-native-virtualization/virt-cdi-apiserver-rhel9 container-native-virtualization/virt-cdi-controller-rhel9 container-native-virtualization/virt-cdi-uploadproxy-rhel9 container-native-virtualization/virt-cdi-uploadserver-rhel9 Matching in nixpkgs pkgs.libnbd Network Block Device client library in userspace nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1
pkgs.libnbd Network Block Device client library in userspace nixos-unstable 1.22.1 nixpkgs-unstable 1.22.1 nixos-unstable-small 1.22.1 nixos-25.11 1.22.1 nixos-25.11-small 1.22.1 nixpkgs-25.11-darwin 1.22.1 nixos-25.05 1.22.1 nixos-25.05-small 1.22.1 nixpkgs-25.05-darwin 1.22.1