SB2026033164 - Multiple vulnerabilities in NoMachine

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) External Control of File Name or Path (CVE-ID: CVE-2026-5053)

The vulnerability allows a local user to delete arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete. A local user can delete arbitrary files on the system.

2) Unquoted Search Path or Element (CVE-ID: CVE-2026-5055)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to uncontrolled search path or element within the NoMachine Device Server. A local user can execute arbitrary code with SYSTEM privileges.

3) External Control of File Name or Path (CVE-ID: CVE-2026-5054)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to external control of file path within the handling of command line parameters. A local user can execute arbitrary code on the system with elevated privileges.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-26-247/
• https://www.zerodayinitiative.com/advisories/ZDI-26-249/
• https://www.zerodayinitiative.com/advisories/ZDI-26-248/