CVE-2026-25701 is an insecure temporary file vulnerability classified under CWE-377 affecting the sdbootutil utility in openSUSE Linux distributions. The flaw allows local users with limited privileges to pre-create directories that sdbootutil uses insecurely during its operations. This can lead to multiple malicious outcomes: unauthorized access to potentially sensitive information stored in /var/lib/pcrlock.d, manipulation of backup data in /tmp/pcrlock.d.bak compromising data integrity, and overwriting of protected system files by exploiting symbolic link (symlink) attacks within the temporary backup directory. The vulnerability stems from insufficient validation and secure handling of temporary files and directories, enabling attackers to influence file system operations. The CVSS 4.0 score of 7.0 (high severity) reflects the vulnerability’s local attack vector, low complexity, no required authentication, and significant impact on confidentiality, integrity, and availability. Although no public exploits are known, the vulnerability poses a serious risk to systems running vulnerable versions of sdbootutil, especially in environments where local user access is possible. The affected versions are not explicitly specified but include all versions prior to commit 5880246d3a02642dc68f5c8cb474bf63cdb56bca. The issue was published on February 25, 2026, and is currently unpatched. Organizations relying on openSUSE should monitor for updates and assess local user permissions carefully.

The vulnerability allows local attackers to compromise confidentiality by accessing private information in /var/lib/pcrlock.d. It also threatens data integrity by enabling manipulation of backup data in /tmp/pcrlock.d.bak, which could lead to corrupted or maliciously altered system states upon restoration. Additionally, the ability to overwrite protected system files via symlink attacks could result in privilege escalation or system instability, impacting availability. The scope is limited to local users but can be critical in multi-user environments or where untrusted users have shell access. Exploitation does not require user interaction or elevated privileges beyond local access, increasing the risk in shared or poorly secured systems. The overall impact includes potential unauthorized data disclosure, system compromise, and disruption of normal system operations.

To mitigate this vulnerability, organizations should: 1) Apply patches or updates from openSUSE as soon as they become available to fix the insecure temporary file handling in sdbootutil. 2) Restrict local user access to systems running vulnerable versions, especially limiting shell or terminal access to trusted users only. 3) Implement strict file system permissions and use mandatory access controls (e.g., SELinux, AppArmor) to prevent unauthorized creation or manipulation of directories and symlinks in sensitive paths such as /tmp and /var/lib. 4) Monitor system logs for unusual file system activity related to /tmp/pcrlock.d.bak and /var/lib/pcrlock.d to detect potential exploitation attempts. 5) Consider using filesystem namespaces or containerization to isolate processes that use sdbootutil, reducing the risk of local privilege abuse. 6) Educate system administrators about the risks of insecure temporary file handling and encourage regular security audits of local privilege boundaries.