Skip to main content

AGL app-framework-binder CVE-2026-37526

| EUVDEUVD-2026-26682 HIGH
Improper Access Control (CWE-284)
2026-05-01 mitre
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 17:32 vuln.today
EUVD ID Assigned
May 01, 2026 - 17:00 euvd
EUVD-2026-26682
Analysis Generated
May 01, 2026 - 17:00 vuln.today
CVE Published
May 01, 2026 - 00:00 nvd
HIGH 7.8

DescriptionCVE.org

AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.

AnalysisAI

Local privilege escalation in AGL app-framework-binder (afb-daemon) through v19.90.0 allows any low-privileged process to execute privileged supervision commands without authentication via an unprotected abstract Unix socket. Attackers can terminate the daemon (DoS), execute arbitrary API calls, close user sessions, or exfiltrate global configuration data. The vulnerability stems from commit b8c9d5de384 (2017-06-29) implementing 8 supervision commands with zero credential verification, acknowledged by developers as lacking DAC protection. EPSS data unavailable, not in CISA KEV, but technical details are publicly documented with proof-of-concept reference.

Technical ContextAI

AGL (Automotive Grade Linux) app-framework-binder is a framework daemon providing service binding infrastructure for automotive Linux systems. The vulnerability exists in src/afb-supervision.c's on_supervision_call function, which binds 8 privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) to an abstract Unix socket (@urn:AGL:afs:supervision:socket). Abstract Unix sockets in Linux namespaces lack filesystem-based permissions, relying entirely on application-layer authentication. The developers explicitly documented this limitation in src/afs-supervision.h with a CAUTION comment acknowledging the absence of DAC (Discretionary Access Control) protection. The socket accepts connections from any local process regardless of UID/GID, and the handler functions perform no credential checks before executing privileged operations affecting daemon state, active sessions, or configuration data.

RemediationAI

No vendor-released patch version is explicitly confirmed in available data; affected version ceiling is v19.90.0 but fix version not specified. Consult the official AGL Gerrit repository (https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder) for commits addressing supervision socket authentication after v19.90.0. Immediate workarounds: (1) Implement mandatory access control (MAC) policies via SELinux or AppArmor to restrict processes authorized to connect to abstract socket @urn:AGL:afs:supervision:socket - requires policy authoring expertise and may break legitimate supervision tools. (2) Deploy network namespace isolation to segregate afb-daemon from untrusted processes - adds complexity to container/systemd configurations. (3) Run afb-daemon in restricted user namespaces where only trusted UIDs can access the socket - may conflict with multi-user automotive scenarios. (4) Audit all processes with local execution capability and remove unnecessary binaries - reduces attack surface but does not eliminate vulnerability. All mitigations require system-level configuration changes and may impact legitimate supervision functionality.

Share

CVE-2026-37526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy