CVE-2026-43003
Published: 01 May 2026
Summary
CVE-2026-43003 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openstack Ironic Python Agent. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-35 (External Malicious Code Identification) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Employs malicious code protection mechanisms to scan and eradicate malicious payloads in untrusted partition images before executing grub-install within the chroot environment.
Identifies and blocks external malicious code contained in the deployed partition image prior to chroot execution during deployment.
Requires inspection of untrusted partition images as supplied components to detect malicious functionality before processing with grub-install in chroot.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution in the Ironic Python Agent (a remote provisioning service) when processing a malicious partition image, directly mapping to exploitation of remote services to execute adversary-controlled code.
NVD Description
An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.
Deeper analysisAI
CVE-2026-43003 is a vulnerability in OpenStack's Ironic Python Agent (IPA) affecting versions 1.0.0 through 11.5.0. The issue arises when IPA executes the grub-install command from within a chroot environment of a deployed partition image, which can lead to arbitrary code execution if the image is malicious. This flaw is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with a changed scope.
An attacker with low privileges (PR:L) on an adjacent network (AV:A) could exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation occurs when IPA processes a malicious partition image during deployment, allowing the attacker to achieve code execution within the agent's context. Successful exploitation grants high-level access to confidential data, modification of system integrity, and disruption of availability across the scoped components.
Advisories reference the issue in Launchpad bug 2148310 and a specific code snippet in ironic-python-agent's efi_utils.py (lines 134-139 in commit 236b33abffe6688afc39c21e351cc3889b3db2dd), highlighting the problematic grub-install execution. Practitioners should review these for patch details and upgrade to remediated versions beyond 11.5.0.
Details
- CWE(s)