CVE-2026-37526
7.8 HIGHAGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Scl...
Published: 2026-05-01 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 7.8 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-284
Affected products
| Vendor | Product |
|---|---|
| linuxfoundation | automotive_grade_linux |
Description
AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-44477 — CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments (9.9 CRITICAL)
- CVE-2026-44247 — Volcano is a Kubernetes-native batch scheduling system (6.8 MEDIUM)
- CVE-2026-44374 — Backstage is an open framework for building developer portals (4.3 MEDIUM)
- CVE-2026-45321 — On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm ... (9.6 CRITICAL)
- CVE-2026-37531 — AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-... (9.8 CRITICAL)
Same CWE
- CVE-2026-47261 — Wasmtime is a runtime for WebAssembly (7.5 HIGH)
- CVE-2026-50892 — Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attacke... (6.5 MEDIUM)
- CVE-2026-50891 — Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a cra... (8.1 HIGH)
- CVE-2026-50886 — Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources vi... (9.1 CRITICAL)
- CVE-2026-50885 — Incorrect access control in the share-based read endpoints of Sismics Docs (Teedy) v1.11 allow unauthorized attackers to access sensitive... (7.5 HIGH)