Cyber Resilience

CVE-2026-43003

HighUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0084 53.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-43003 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openstack Ironic Python Agent. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-35 (External Malicious Code Identification) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-43003 is a vulnerability in OpenStack's Ironic Python Agent (IPA) affecting versions 1.0.0 through 11.5.0. The issue arises when IPA executes the grub-install command from within a chroot environment of a deployed partition image, which can lead to arbitrary code execution if the image is malicious. This flaw is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts with a changed scope.

An attacker with low privileges (PR:L) on an adjacent network (AV:A) could exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation occurs when IPA processes a malicious partition image during deployment, allowing the attacker to achieve code execution within the agent's context. Successful exploitation grants high-level access to confidential data, modification of system integrity, and disruption of availability across the scoped components.

Advisories reference the issue in Launchpad bug 2148310 and a specific code snippet in ironic-python-agent's efi_utils.py (lines 134-139 in commit 236b33abffe6688afc39c21e351cc3889b3db2dd), highlighting the problematic grub-install execution. Practitioners should review these for patch details and upgrade to remediated versions beyond 11.5.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables arbitrary code execution in the Ironic Python Agent (a remote provisioning service) when processing a malicious partition image, directly mapping to exploitation of remote services to execute adversary-controlled code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28370Same vendor: Openstack
CVE-2026-43001Same vendor: Openstack
CVE-2026-40313Shared CWE-829
CVE-2026-3991Shared CWE-829
CVE-2026-40903Shared CWE-829
CVE-2022-49036Shared CWE-829
CVE-2022-49042Shared CWE-829
CVE-2026-32920Shared CWE-829
CVE-2026-41295Shared CWE-829
CVE-2025-53546Shared CWE-829

Affected Assets

openstack
ironic python agent
1.0.0 — 11.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Employs malicious code protection mechanisms to scan and eradicate malicious payloads in untrusted partition images before executing grub-install within the chroot environment.

prevent

Identifies and blocks external malicious code contained in the deployed partition image prior to chroot execution during deployment.

prevent

Requires inspection of untrusted partition images as supplied components to detect malicious functionality before processing with grub-install in chroot.

References