GHSA-w4qv-m9pp-3xjr
Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Local D-Bus reachability gives AV:L; a low-privileged local account is needed (PR:L); winning the PID-reuse race makes it AC:H; success yields full root C:H/I:H/A:H.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
10Description PRE-NVD
AnalysisAI
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
Technical ContextAI
qSnapper is a Qt-based snapshot management front-end (cpe:2.3:a:presire:qsnapper) that exposes privileged operations through a root D-Bus service guarded by Polkit. The flaw is a CWE-367 time-of-check/time-of-use race: the service identified the calling client with Polkit's UnixProcessSubject, which is keyed on a PID. Because PIDs are recycled by the kernel, an attacker can cause the PID inspected at authorization time to differ from the process that actually issued the call, so a privileged authorization decision is attributed to an unprivileged caller. The vendor fix replaces UnixProcessSubject with SystemBusNameSubject (a stable D-Bus connection name not subject to PID reuse) and additionally removes a cached m_authenticated flag, relying on Polkit's native auth_admin_keep behavior.
RemediationAI
Vendor-released patch: upgrade to qSnapper 1.3.3, which closes the PID-reuse race by switching Polkit checkAuthorization() from UnixProcessSubject to SystemBusNameSubject and removing the cached authentication state (see https://github.com/presire/qSnapper/releases/tag/v1.3.3 and https://security.opensuse.org/2026/05/26/qsnapper-dbus-issues.html#issue-polkit-bypass). If immediate upgrade is not possible, the most effective compensating control is to disable or stop the privileged qSnapper D-Bus service and remove its Polkit policy so no authorization path is reachable, accepting that snapshot/restore functionality becomes unavailable until patched; alternatively restrict who can reach the D-Bus interface by limiting local interactive/login accounts on hosts where the service runs, accepting that this only reduces the attacker population rather than fixing the race. Because v1.3.3 also addresses companion issues (CVE-2026-41046 through 41049), patching is strongly preferred over partial mitigations.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Vendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38259