CVE-2026-44942

NameCVE-2026-44942
DescriptionA path traversal in handling the "path" component of .repo files processed by libzypp before 17.38.13 in the 17.x series, or before 16.22.19 could be used by attackers to fill directories on the system outside of the zypp cache with content.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libzypp (PTS)bullseye17.25.7-1vulnerable
bookworm17.25.7-2.4vulnerable
trixie17.36.7-1vulnerable
forky, sid17.38.13-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libzyppsource(unstable)17.38.13-1

Notes

https://bugzilla.suse.com/show_bug.cgi?id=1267874
Search for package or bug name: Reporting problems