NIXPKGS-2026-0010
published on 13 Jan 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
3 packages
- ocamlPackages.nbd
- python312Packages.libnbd
- python313Packages.libnbd
- @LeSuisse removed maintainer @akshatagarwl
- @LeSuisse accepted
- @LeSuisse published on GitHub
Libnbd: libnbd: arbitrary code execution via ssh argument injection through a malicious uri
A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.
Affected products
libnbd
- <1.22.5
- <1.23.9
virt:rhel/libnbd
container-native-virtualization/virt-cdi-cloner
container-native-virtualization/virt-cdi-importer
container-native-virtualization/virt-cdi-operator
container-native-virtualization/virt-cdi-apiserver
container-native-virtualization/virt-cdi-controller
container-native-virtualization/virt-cdi-uploadproxy
container-native-virtualization/virt-cdi-cloner-rhel9
container-native-virtualization/virt-cdi-uploadserver
container-native-virtualization/virt-cdi-importer-rhel9
container-native-virtualization/virt-cdi-operator-rhel9
container-native-virtualization/virt-cdi-apiserver-rhel9
container-native-virtualization/virt-cdi-controller-rhel9
container-native-virtualization/virt-cdi-uploadproxy-rhel9
container-native-virtualization/virt-cdi-uploadserver-rhel9
Package maintainers
Ignored maintainers (1)
-
@akshatagarwl Akshat Agarwal <humancalico@disroot.org>