Skip to main content

SSSD CVE-2026-12610

| EUVDEUVD-2026-40268 MEDIUM
Expired Pointer Dereference (CWE-825)
2026-06-30 redhat GHSA-f953-7679-xc38
6.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.4 MEDIUM

Local-only vector, high complexity for heap control, high privileges required to manipulate YubiKey contents; CIA:H reflects crash-to-escalation potential confirmed by vendor.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 10:23 vuln.today
CVE Published
Jun 30, 2026 - 08:27 nvd
MEDIUM 6.4

DescriptionCVE.org

A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of service that disrupts authentication. This vulnerability also presents a potential for privilege escalation, although it is difficult to exploit.

AnalysisAI

Use-after-free in the SSSD PAM responder crashes the authentication daemon when a local attacker manipulates YubiKey or smartcard contents during an authentication attempt on Red Hat Enterprise Linux 6 through 10. The primary realized impact is a denial of service - the PAM responder crash disrupts all authentication - but the underlying memory corruption also presents a difficult-to-exploit privilege escalation path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local high-privileged access
Delivery
Enable or confirm YubiKey PAM auth configured
Exploit
Craft or modify YubiKey/smartcard contents
Execution
Trigger SSSD PAM responder authentication
Persist
Use-after-free dereference crashes daemon
Impact
Authentication denied (DoS) or heap manipulation enables privilege escalation

Vulnerability AssessmentAI

Exploitation The following specific conditions must all be satisfied for exploitation: (1) SSSD must be deployed as the PAM authentication broker on the target RHEL system (RHEL 6-10 or OpenShift Container Platform 4); (2) smartcard or YubiKey authentication must be enabled in sssd.conf (typically via pam_cert_auth = True or equivalent certificate authentication configuration - this is non-default and must be explicitly enabled by an administrator); (3) the attacker must have local access to the system with high-privileged credentials (CVSS PR:H), limiting the attack surface to insiders, physical access scenarios, or attackers who have already achieved elevated local access by other means; (4) the attacker must be able to manipulate the contents of a YubiKey or smartcard device, implying either physical possession of the token or privileged access to YubiKey management tools. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.4 (Medium) reflects a real but tightly constrained threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local operator or insider with high-privileged access on a RHEL host configured for YubiKey authentication crafts or modifies the contents of a YubiKey or smartcard to trigger a specific code path in the SSSD PAM responder. When the manipulated device is processed during an authentication attempt, the PAM responder dereferences a freed memory pointer, causing a crash and denying authentication to all users on the system. …
Remediation No specific patched SSSD package version is identified in the available reference data - patch availability should be verified directly against the Red Hat Security Advisory at https://access.redhat.com/security/cve/CVE-2026-12610 and the upstream SSSD issue tracker at https://github.com/SSSD/sssd/issues/8796. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-12610 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy