CVE-2026-43003
Published: 01 May 2026
Summary
CVE-2026-43003 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openstack Ironic Python Agent. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-35 (External Malicious Code Identification) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2026-43003 is a vulnerability in OpenStack's Ironic Python Agent (IPA) affecting versions 1.0.0 through 11.5.0. The issue arises when IPA executes the grub-install command from within a chroot environment of a deployed partition image, which can lead to arbitrary code execution if the image is malicious. This flaw is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with a changed scope.
An attacker with low privileges (PR:L) on an adjacent network (AV:A) could exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation occurs when IPA processes a malicious partition image during deployment, allowing the attacker to achieve code execution within the agent's context. Successful exploitation grants high-level access to confidential data, modification of system integrity, and disruption of availability across the scoped components.
Advisories reference the issue in Launchpad bug 2148310 and a specific code snippet in ironic-python-agent's efi_utils.py (lines 134-139 in commit 236b33abffe6688afc39c21e351cc3889b3db2dd), highlighting the problematic grub-install execution. Practitioners should review these for patch details and upgrade to remediated versions beyond 11.5.0.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26489
Vulnerability details
An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution in the Ironic Python Agent (a remote provisioning service) when processing a malicious partition image, directly mapping to exploitation of remote services to execute adversary-controlled code.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Employs malicious code protection mechanisms to scan and eradicate malicious payloads in untrusted partition images before executing grub-install within the chroot environment.
Identifies and blocks external malicious code contained in the deployed partition image prior to chroot execution during deployment.
Requires inspection of untrusted partition images as supplied components to detect malicious functionality before processing with grub-install in chroot.