Skip to main content

AGL app-framework-binder CVE-2026-37525

| EUVDEUVD-2026-26681 HIGH
Improper Privilege Management (CWE-269)
2026-05-01 mitre
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:31 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26681
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.8

DescriptionCVE.org

AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

AnalysisAI

Local privilege escalation in Automotive Grade Linux (AGL) app-framework-binder (afb-daemon) through v19.90.0 allows authenticated users to execute arbitrary registered APIs with nullified credentials. The supervision Do command in src/afb-supervision.c explicitly zeroes request credentials before dispatching attacker-controlled API calls, causing authorization checks to fail open when encountering NULL credential contexts. This enables low-privileged users to bypass access controls and execute privileged operations. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The app-framework-binder (afb-daemon) is a core component of Automotive Grade Linux providing application framework services and API brokerage. The vulnerability resides in the supervision command handler where the on_supervision_call function in src/afb-supervision.c calls afb_context_change_cred(&xreq->context, NULL) before invoking xapi->itf->call(xapi->closure, xreq). This NULL credential propagates through afb-context.c line 110 where context->credentials = afb_cred_addref(NULL) and afb-cred.c line 163 which returns NULL when given NULL input. The attacker supplies both 'api' and 'verb' parameters via JSON, controlling which registered API endpoint executes with the nullified credential context. APIs implementing security checks that compare against context->credentials without NULL-safety may interpret NULL as a privileged or default-allow state rather than rejecting the request. The flaw was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on February 14, 2018, indicating multi-year exposure in deployed automotive systems.

RemediationAI

Upgrade to app-framework-binder version 19.90.1 or later once available, as no specific patched version is confirmed in available advisories at time of analysis. Monitor the AGL Gerrit repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder for security commits addressing CVE-2026-37525. Review the technical analysis at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 for exploitation details to inform compensating controls. As immediate mitigation, disable or restrict access to the supervision Do command interface if not operationally required - modify afb-daemon configuration to prevent untrusted local users from invoking supervision APIs, though this may impact legitimate management functionality. Implement mandatory access control policies (AppArmor, SELinux) to constrain afb-daemon process capabilities and limit damage from successful privilege escalation, accepting the trade-off of increased policy maintenance overhead. Audit all registered APIs for NULL credential handling - ensure authorization logic explicitly rejects NULL credential contexts rather than treating them as privileged, though this requires code changes across potentially numerous API implementations. For automotive deployments, implement network segmentation to isolate infotainment systems from safety-critical vehicle networks, reducing the blast radius of local privilege escalation exploits.

Share

CVE-2026-37525 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy