CVE-2026-59674 PUBLISHED

LPE from suricata user to root due to chown in %post in suricata packaging

Assigner: suse
Reserved: 06.07.2026 Published: 14.07.2026 Updated: 14.07.2026

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed suricata package allows the suricata user to escalate to root.

This issue affects openSUSE Tumbleweed: from ? before 8.0.5-2.1; openSUSE Tumbleweed: from ? before 8.0.5-2.1.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/S:N
CVSS Score: 7.1

Product Status

Vendor SUSE
Product openSUSE Tumbleweed
Versions Default: unaffected
  • affected from ? to 8.0.5-2.1 (excl.)
Vendor SUSE
Product openSUSE Tumbleweed
Versions Default: unaffected
  • affected from ? to 8.0.5-2.1 (excl.)

Credits

  • Johannes Segitz (SUSE) finder

References

Problem Types

  • CWE-61: UNIX Symbolic Link (Symlink) Following CWE