Description
A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in  cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.




This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.
Published: 2026-03-30
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in cosmic‑greeter during the user authentication process. A race condition between privilege dropping and subsequent checks allows an attacker to regain higher privileges that were intended to be relinquished. This results in privilege escalation, potentially enabling the attacker to gain unauthorized access to system resources. The flaw is categorized as an unauthorized privilege escalation (CWE‑271) combined with a time‑of‑check/time‑of‑use race (CWE‑367).

Affected Systems

The flaw affects Pop!_OS cosmic‑greeter versions prior to the merge of pull request 426 from the project’s GitHub repository. All users running the base package of cosmic‑greeter without the patch are vulnerable. The patch is available via the referenced issue and PR and addresses the TOCTOU race in the GetUserData method of com.system76.CosmicGreeter.

Risk and Exploitability

The CVSS base score is 5.8, reflecting moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not yet observed. Nevertheless, the attack vector is inferred to be local; a user with the ability to influence the greeter’s privilege‑dropping logic could trigger the race condition to elevate privileges. Because the exploit requires a race during startup, it may be challenging but remains a valid concern for systems requiring strict privilege separation.

Generated by OpenCVE AI on March 30, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cosmic-greeter to the latest stable release that includes pull request 426 or later.
  • If an update is not immediately available, apply the patch from the referenced pull request manually to the source and rebuild the package.
  • Restart the system or the greeter service to ensure the updated code is in use.

Generated by OpenCVE AI on March 30, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Pop-os
Pop-os cosmic-greeter
Vendors & Products Pop-os
Pop-os cosmic-greeter

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in  cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic. This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.
Title Incomplete privilege drop for com.system76.CosmicGreeter.GetUserData
Weaknesses CWE-271
CWE-367
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pop-os Cosmic-greeter
cve-icon MITRE

Status: PUBLISHED

Assigner: suse

Published:

Updated: 2026-04-16T16:32:11.153Z

Reserved: 2026-02-05T15:37:24.184Z

Link: CVE-2026-25704

cve-icon Vulnrichment

Updated: 2026-04-16T16:32:11.153Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T08:16:16.990

Modified: 2026-04-16T17:16:54.590

Link: CVE-2026-25704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:41:11Z

Weaknesses