CVE-2026-43003

Summary

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

Affected Software

VendorProductVersion RangeStatus
OpenStackironic-python-agent0 < 10.2.3affected
OpenStackironic-python-agent11.0.0 < 11.2.1affected
OpenStackironic-python-agent11.3.0 < 11.5.1affected

Weaknesses

  • CWE-829: CWE-829 Inclusion of Functionality from Untrusted Control Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

ironic-python-agent: OpenStack ironic-python-agent: Arbitrary code execution via malicious image

Additional References

References