An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"fixed": "10.2.3"
},
{
"introduced": "11.0.0"
},
{
"fixed": "11.2.1"
},
{
"introduced": "11.3.0"
},
{
"fixed": "11.5.1"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43003.json",
"cna_assigner": "mitre",
"cwe_ids": [
"CWE-829"
]
}{
"source": [
"DESCRIPTION",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:openstack:ironic_python_agent:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "1.0.0"
},
{
"fixed": "11.5.0"
},
{
"last_affected": "11.5.0"
}
]
}