Cyber Resilience

CVE-2026-58302

High

Published: 30 June 2026

Published
30 June 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 4.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-58302 is a high-severity Path Traversal (CWE-22) vulnerability in Debian (inferred from references). Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged…

more

local user to load an arbitrary shared library. Because the process retains elevated privileges during module loading, this results in local privilege escalation to root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1548.001 Setuid and Setgid Privilege Escalation
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context.
Why these techniques?

SUID-root binary with path traversal in dlopen() module loading directly enables local privilege escalation via exploitation of the setuid mechanism.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9566Shared CWE-22
CVE-2025-55282Shared CWE-22
CVE-2025-54307Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2025-66429Shared CWE-22
CVE-2025-11531Shared CWE-22
CVE-2024-36418Shared CWE-22
CVE-2024-38292Shared CWE-22
CVE-2026-23954Shared CWE-22
CVE-2025-62630Shared CWE-22

Affected Assets

Debian
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References