CVE-2026-56004

openSUSE · buildservice

A shellcode injection vulnerability in the obs tar_scm source service allows attackers to execute arbitrary code via a malicious _service file.

Executive summary

A critical shellcode injection vulnerability in the openSUSE buildservice allows unauthenticated attackers to execute arbitrary code, posing a severe risk of total system compromise.

Vulnerability

This is a shellcode injection flaw residing within the mercurial handler of the obs tar_scm source service. An attacker can trigger this by providing a malicious _service file, resulting in code execution under the context of the source service or the local user.

Business impact

The potential for arbitrary code execution grants an attacker full control over the affected build infrastructure. Given the CVSS score of 10.0, this vulnerability represents a critical threat that could lead to the theft of source code, supply chain poisoning, and unauthorized access to internal development environments.

Remediation

Immediate Action: Update the openSUSE buildservice to version 0.12.4 or later immediately to eliminate the vulnerable code path.

Proactive Monitoring: Review system and service logs for unusual process execution patterns or the creation of unexpected files within the build service directory.

Compensating Controls: Restrict access to the submission of _service files to trusted users only and implement strict egress filtering on build servers to prevent command-and-control communication.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is of the highest severity and requires urgent attention. Administrators must prioritize updating the buildservice software, as the ability for an attacker to execute arbitrary code within the build pipeline presents an unacceptable risk to the integrity of the software development lifecycle.