Advisories » MGASA-2025-0308

Updated konsole packages fix security vulnerability

Publication date: 21 Nov 2025
Modification date: 21 Nov 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-49091

Description

KDE Konsole before 25.04.2 allows remote code execution in a certain
scenario. It supports loading URLs from the scheme handlers such as a
ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of
whether the ssh, telnet, or rlogin binary is available. In this mode,
there is a code path where if that binary is not available, Konsole
falls back to using /bin/bash for the given arguments (i.e., the URL)
provided. This allows an attacker to execute arbitrary code.
(CVE-2025-49091)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34364
• https://www.openwall.com/lists/oss-security/2025/06/10/5
• https://lists.debian.org/debian-security-announce/2025/msg00109.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49091

SRPMS

9/core

• konsole-23.04.3-1.2.mga9