High severity7.8NVD Advisory· Published May 20, 2026· Updated Jun 5, 2026
CVE-2026-41054
CVE-2026-41054
Description
In src/havegecmd.c, the socket_handler function performs a credential check on the abstract UNIX socket (\0/sys/entropy/haveged). However, while it detects if the connecting user is not root (cred.uid != 0) and prepares a negative acknowledgement (ASCII_NAK), it fails to stop execution. The code proceeds to the switch statement, allowing any local unprivileged user to execute privileged commands such as MAGIC_CHROOT.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
8- www.openwall.com/lists/oss-security/2026/05/19/3nvd
- www.openwall.com/lists/oss-security/2026/05/19/4nvd
- www.openwall.com/lists/oss-security/2026/05/19/5nvd
- www.openwall.com/lists/oss-security/2026/05/20/1nvd
- www.openwall.com/lists/oss-security/2026/05/21/17nvd
- www.openwall.com/lists/oss-security/2026/05/22/1nvd
- bugzilla.suse.com/show_bug.cginvd
- lists.debian.org/debian-lts-announce/2026/06/msg00005.htmlnvd
News mentions
0No linked articles in our index yet.