Qsnapper
Monthly
Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.
Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.
Local privilege escalation in qSnapper D-Bus service before version 1.3.3 allows any unprivileged local user to invoke privileged D-Bus methods after an administrator has previously authenticated for an unrelated Polkit action. The flaw stems from authentication state being implicitly carried over across different Polkit actions and users rather than being scoped per-action-per-caller, enabling unauthorized snapshot management on systems where the service is installed. No public exploit identified at time of analysis, though SUSE published a coordinated disclosure advisory alongside the upstream fix.
Unauthenticated local access to qSnapper's D-Bus snapshot diff interface before version 1.3.3 exposes read-protected file contents to any local user on the host. The 'snapshot diff' D-Bus methods - GetFileChanges, GetFileChangesBetween, GetFileDiffBetween, and GetFileDiffAndDetails - lacked any Polkit authorization check, meaning a local unprivileged caller could invoke them directly and receive sensitive file diff data. This is one of five authentication/authorization flaws (CVE-2026-41045 through CVE-2026-41049) discovered and reported by the SUSE security team under coordinated disclosure; no public exploit is identified at time of analysis.
Local privilege escalation and denial of service in qSnapper before 1.3.3 stems from path traversal via the configName D-Bus parameter, allowing local attackers to point the snapper backend at attacker-controlled config files. Per the SUSE security review that produced coordinated fixes for CVE-2026-41045 through CVE-2026-41049, exploitation can crash the service or escalate to root through abuse of snapper configuration handling. No public exploit identified at time of analysis, but the upstream advisory and Bugzilla entry document the issue in detail.
Local privilege escalation in presire qSnapper before 1.3.3 lets a low-privileged user bypass Polkit authentication in the privileged D-Bus service by exploiting a PID-reuse race in the UnixProcessSubject authorization check. A successful race grants the attacker the authority of a privileged process, exposing high-impact root-level operations (snapshot/file restore) on the host. EPSS is low (0.13%, 3rd percentile) and no public exploit is identified; the issue was found in a coordinated SUSE security review and fixed in v1.3.3.
Authentication bypass in qSnapper's privileged D-Bus service (versions before 1.3.3) allows any local unprivileged user to invoke administrative snapshot operations by piggy-backing on another client's prior Polkit authentication. The service stored authentication state in a single shared m_authenticated flag rather than per-client, so once any caller passed an admin check, all subsequent D-Bus callers inherited that state. No public exploit identified at time of analysis; the issue was found during a SUSE-coordinated security review and patched in v1.3.3.