Skip to main content

qSnapper CVE-2026-41045

| EUVDEUVD-2026-38259 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local D-Bus reachability gives AV:L; a low-privileged local account is needed (PR:L); winning the PID-reuse race makes it AC:H; success yields full root C:H/I:H/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jun 28, 2026 - 00:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 28, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 28, 2026 - 00:22 vuln.today
cvss_changed
CVSS changed
Jun 28, 2026 - 00:22 NVD
8.1 (HIGH) 7.0 (HIGH)
Patch available
Jun 22, 2026 - 17:01 EUVD
Source Code Evidence Fetched
Jun 22, 2026 - 16:53 vuln.today
Analysis Generated
Jun 22, 2026 - 16:53 vuln.today
CVSS changed
Jun 22, 2026 - 16:52 NVD
8.1 (HIGH)
CVE Published
May 27, 2026 - 20:45 oss-security
HIGH 8.1
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.

Technical ContextAI

qSnapper is a Qt-based snapshot management front-end (cpe:2.3:a:presire:qsnapper) that exposes privileged operations through a root D-Bus service guarded by Polkit. The flaw is a CWE-367 time-of-check/time-of-use race: the service identified the calling client with Polkit's UnixProcessSubject, which is keyed on a PID. Because PIDs are recycled by the kernel, an attacker can cause the PID inspected at authorization time to differ from the process that actually issued the call, so a privileged authorization decision is attributed to an unprivileged caller. The vendor fix replaces UnixProcessSubject with SystemBusNameSubject (a stable D-Bus connection name not subject to PID reuse) and additionally removes a cached m_authenticated flag, relying on Polkit's native auth_admin_keep behavior.

RemediationAI

Vendor-released patch: upgrade to qSnapper 1.3.3, which closes the PID-reuse race by switching Polkit checkAuthorization() from UnixProcessSubject to SystemBusNameSubject and removing the cached authentication state (see https://github.com/presire/qSnapper/releases/tag/v1.3.3 and https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-polkit-bypass). If immediate upgrade is not possible, the most effective compensating control is to disable or stop the privileged qSnapper D-Bus service and remove its Polkit policy so no authorization path is reachable, accepting that snapshot/restore functionality becomes unavailable until patched; alternatively restrict who can reach the D-Bus interface by limiting local interactive/login accounts on hosts where the service runs, accepting that this only reduces the attacker population rather than fixing the race. Because v1.3.3 also addresses companion issues (CVE-2026-41046 through 41049), patching is strongly preferred over partial mitigations.

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-41045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy