CVE-2025-9615
Publication date 26 January 2026
Last updated 28 January 2026
Ubuntu priority
Description
A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| network-manager | 25.10 questing |
Vulnerable, fix deferred
|
| 24.04 LTS noble |
Vulnerable, fix deferred
|
|
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
Notes
mdeslaur
fixing this issue in network-manager requires updating all the network-manager VPN plugins to use the same new method. This is likely too intrusive to do in stable releases. Marking as deferred until all the VPN plugins and an update strategy has been determined. Possibly incomplete list of VPN plugins: - network-manager-fortisslvpn - network-manager-iodine - network-manager-l2tp - network-manager-openconnect - network-manager-openvpn - network-manager-pptp - network-manager-sstp - network-manager-strongswan - network-manager-vpnc Fixing this CVE likely also fixes CVE-2012-1096
Patch details
| Package | Patch details |
|---|---|
| network-manager |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.3 · Low
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |