CVE-2026-35207

Summary

dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openapi.deepin.com or other providers. An MITM attacker could intercept the traffic, replace the avatar with a malicious or misleading image, and potentially identify the user by the avatar. This vulnerability is fixed in dde-control-center 6.1.80 and 5.9.9.

Affected Software

VendorProductVersion RangeStatus
linuxdeepindde-control-center>= 6.1.35, < 6.1.80affected
linuxdeepindde-control-center>= 5.5.3, < 5.9.9affected
linuxdeepindeepin-deepinid-plugin>= 2.0.1, <= 2.0.9affected

Weaknesses

  • CWE-295: CWE-295: Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References