CVE-2026-41054

Vulnerability

In src/havegecmd.c, the socket_handler function performs a credential check on the abstract UNIX socket (\0/sys/entropy/haveged). When the connecting peer's UID is not root (cred.uid != 0), the function sends a negative acknowledgement (ASCII_NAK) but then fails to return or exit, so execution continues into the switch statement [1][3]. This bug affects haveged versions from 1.9.3 to 1.9.20 inclusive [1][4].

Exploitation

A local unprivileged attacker only needs the ability to connect to the abstract UNIX socket \0/sys/entropy/haveged. By sending the MAGIC_CHROOT command, the attacker can force the root-running daemon to chroot(2) into an attacker-controlled directory and then execv(3) itself, re‑executing from that directory. By placing a malicious dynamic linker or libc in that directory, the attacker achieves arbitrary code execution as root [1][3].

Impact

Successful exploitation gives the attacker full root privileges on the system. The root‑running daemon can be coerced into running arbitrary code with no additional authentication or special privileges beyond a local account [1][2][3].

Mitigation

haveged version 1.9.21, released on 2026‑05‑19, fixes the issue by adding the missing return after the NAK response [4]. Users should update to 1.9.21 or later. No workaround is available for versions that are no longer supported. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.