CVE-2026-14459: Argument Injection Vulnerability in TUBITAK BILGEM pardus-software
A critical argument injection vulnerability (CVE-2026-14459) in TUBITAK BILGEM Software Technologies Research Institute's pardus-software versions up to 1.0.4 allows a local, low-privileged attacker to achieve unauthorized command execution, severely impacting confidentiality, integrity, and availability.
What's new
- l2 poc_available; added CVE-2026-14460; OS pardus 25 Jul 3, 18:04 via sploitus
CVE-2026-14459 details an improper neutralization of argument delimiters (argument injection) vulnerability within the TUBITAK BILGEM Software Technologies Research Institute's pardus-software. This critical flaw affects versions equal to or less than 1.0.4, with the patched version being 1.0.5. The vulnerability, which carries a CVSS v3.1 base score of 8.8 (High), allows a local attacker with low privileges to manipulate command arguments. By exploiting this weakness, an attacker can inject arbitrary commands, leading to unauthorized code execution and significant impact on the affected system's confidentiality, integrity, and availability. This vulnerability poses a serious risk to systems running the vulnerable software, as it can be leveraged for privilege escalation or to execute malicious payloads from an already compromised local environment.
Attack Chain
- Initial Access: The attacker gains low-privileged local access to a system running a vulnerable version of
pardus-software. This could be through a user account or another prior compromise (CVSS AV:L, PR:L). - Vulnerability Discovery: The attacker identifies the presence of
pardus-softwareand confirms its version is vulnerable to CVE-2026-14459. - Malicious Input Crafting: The attacker crafts a specific input containing specially formatted argument delimiters and commands designed to exploit the argument injection vulnerability.
- Exploitation: The attacker submits the crafted malicious input to
pardus-softwarevia a user interface, API, or command-line interaction that processes arguments without proper sanitization. - Argument Injection: The
pardus-softwareimproperly interprets the attacker's input, leading to the injection of unintended arguments into an underlying command execution function. - Arbitrary Command Execution: The injected arguments result in the execution of an attacker-controlled command with the privileges of the
pardus-softwareprocess. - Impact: The attacker's command executes, potentially leading to privilege escalation, arbitrary code execution, system compromise, or data manipulation and exfiltration.
Impact
The exploitation of CVE-2026-14459 results in a high impact on the confidentiality, integrity, and availability of the affected system, as indicated by its CVSS v3.1 score of 8.8 (C:H/I:H/A:H). Successful exploitation allows an attacker to execute arbitrary commands, which can lead to complete system compromise, data theft, data corruption, or denial-of-service conditions. This vulnerability provides a pathway for a low-privileged local attacker to elevate their privileges or execute malicious payloads without further authentication, posing a significant risk to the overall security posture of environments running pardus-software.
Recommendation
- Immediately patch
pardus-softwareto version 1.0.5 or later to mitigate CVE-2026-14459. - Restrict execution permissions for
pardus-softwareto only necessary users and contexts to limit the impact of potential local exploitation.
Indicators of compromise
1
hash_sha256
1
url
| Type | Value |
|---|---|
| url | https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F72A3 |
| hash_sha256 | 1d3f4c19affdb377ac5eee4c695619e9f6a4590350c3936678eb1db2cf601255 |