CVE-2026-37525
Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <= v19.90.0
Patches
Vulnerability mechanics
References
2- gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643nvdThird Party Advisory
- gerrit.automotivelinux.org/gerrit/src/app-framework-bindernvdBroken Link
News mentions
0No linked articles in our index yet.