EulerOS 2.0 SP12 : sed (EulerOS-SA-2026-2628)

low Nessus Plugin ID 326181

Synopsis

The remote EulerOS host is missing a security update.

Description

According to the versions of the sed packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.(CVE-2026-5958)

Tenable has extracted the preceding description block directly from the EulerOS sed security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected sed packages.

See Also

http://www.nessus.org/u?ac96a7ac

Plugin Details

Severity: Low

ID: 326181

File Name: EulerOS_SA-2026-2628.nasl

Version: 1.1

Type: Local

Published: 7/10/2026

Updated: 7/10/2026

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 57.77

CVSS v2

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 3.9

Vector: CVSS2#AV:L/AC:H/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2026-5958

CVSS v3

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 6

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 0.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:sed-help, p-cpe:/a:huawei:euleros:sed, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp, Host/local_checks_enabled

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Ease: No known exploits are available

Patch Publication Date: 7/10/2026

Vulnerability Publication Date: 4/20/2026

Reference Information

CVE: CVE-2026-5958

IAVA: 2026-A-0404