Executive Summary
A critical vulnerability (CVE-2026-56004) with a CVSS score of 10 has been discovered in the obs tar_scm source service before version 0.12.4. This vulnerability allows attackers to inject shellcode and execute code as the source service or local user. The vulnerability is exploitable over the network with low complexity and no required privileges.
Technical Analysis
The vulnerability is classified as a shellcode injection vulnerability in the mercurial handler of the obs tar_scm source service. The attack vector involves providing a malicious _service file, which can be used to execute code as the source service or the local user checking out the malicious services. The root cause of this vulnerability is the lack of proper input validation in the mercurial handler.
How It Gets Exploited
An attacker with network access can provide a malicious _service file to the obs tar_scm source service. When the service processes this file, the attacker can inject shellcode, leading to code execution as the source service or local user. For example, an unauthenticated remote attacker on the same network can send a crafted _service file to the obs tar_scm source service, triggering the shellcode injection vulnerability. The service, failing to validate the input properly, executes the injected shellcode, allowing the attacker to achieve code execution.
Impact Assessment
The openSUSE Build Service, specifically the obs-service-tar_scm package before version 0.12.4, is affected by this vulnerability. An attacker can achieve arbitrary code execution, leading to high impacts on confidentiality, integrity, and availability. The CVSS score of 10 indicates a critical severity level.
Recommended Actions
To mitigate this vulnerability, update the obs-service-tar_scm package to version 0.12.4 or later. Additionally, restrict network access to the obs tar_scm source service and implement proper input validation and sanitization for _service files.
Sources
- National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2026-56004