CVE-2006-7240

Vulnerability

GNOME Power Manager 2.14.0 (as shipped in Ubuntu 6.04/6.10) does not properly enforce the lock_on_suspend and lock_on_hibernate GConf keys when resuming from suspend or hibernate. The intended behavior—locking the screen before returning to the desktop—is triggered only when lock_on_use_screensaver_settings is set to false, but the locking mechanism itself fails. Affected version: 2.14.0-1ubuntu1 [1].

Exploitation

An attacker with physical proximity to an unattended laptop can simply press the power button or lid switch to trigger resume. No authentication is required; after resume the desktop is displayed immediately without a lock screen. The user must have previously set the lock_on_suspend and lock_on_hibernate keys to true and lock_on_use_screensaver_settings to false (as described in GConf documentation), but even then the lock does not engage [1].

Impact

Successful exploitation results in unauthorized physical access to the logged‑in user's session, including all open applications, files, and credentials. This is a violation of the confidentiality and integrity of the system (CIA impact: partial loss of confidentiality and integrity), akin to a screen lock bypass. The vulnerability is related to CVE-2010-2532 [1].

Mitigation

No official patch was released for GNOME Power Manager 2.14.0; the bug report dates from 2006 and the software is now end‑of‑life. Users on modern distributions should upgrade to a supported version of GNOME Power Manager (≥ 2.16) or migrate to a replacement such as xfce4-power-manager or systemd‑based power management. Affected Ubuntu releases should be updated to a patched kernel or use a different display manager that enforces screen locking on resume. The issue is not listed in the CISA KEV catalog [1].