Description
AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unprotected abstract Unix socket @urn:AGL:afs:supervision:socket used by the AGL app-framework-binder (afb-daemon) allows any local process to invoke privileged supervision commands without authentication. The commands include Exit, Do, Sclose, Config, Trace, Debug, Token, and slist. Because the socket lacks discretionary access control and the server’s on_supervision_call dispatcher checks no credentials, a low‑privileged process can terminate the daemon, execute arbitrary API calls, close user sessions, or expose the entire global configuration. This yields local privilege escalation or corruption of the afb‑daemon’s behavior and can lead to denial of service or information disclosure.

Affected Systems

The flaw exists in the AGL app-framework-binder up to and including version 19.90.0. Installations that use the afb‑daemon and expose the supervision socket are vulnerable. No vendor or product list beyond the AGL framework itself is provided.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity. The EPSS score is not reported, so the exploitation probability is unknown, but the vulnerability relies on local execution of an unfiltered socket. The bug was introduced in 2017, and the vulnerability is not listed in CISA's KEV catalog. There is no documented remote exploitation; a low‑privileged local user with the ability to connect to the abstract socket can exploit the flaw, which can result in service disruption or data leakage.

Generated by OpenCVE AI on May 2, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Limit access to the supervision abstract socket by adjusting file permissions or using a firewall to restrict local connections.
  • Deploy a mandatory access control system such as SELinux or AppArmor to enforce that only privileged processes may bind to or communicate with @urn:AGL:afs:supervision:socket.
  • If the supervision functionality is unnecessary, remove or rename the socket so that the daemon refuses connections to that endpoint.
  • Monitor system logs for unexpected connections to the supervision socket and investigate anomalous activity.

Generated by OpenCVE AI on May 2, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation automotive Grade Linux
CPEs cpe:2.3:o:linuxfoundation:automotive_grade_linux:*:*:*:*:*:*:*:*
Vendors & Products Linuxfoundation
Linuxfoundation automotive Grade Linux

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Automotivelinux
Automotivelinux app-framework-binder
Vendors & Products Automotivelinux
Automotivelinux app-framework-binder

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Unauthenticated Supervision Commands in AGL app-framework-binder

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AC:L/AV:L/A:H/C:H/I:H/PR:L/S:U/UI:N'}

Subscriptions

Automotivelinux App-framework-binder
Linuxfoundation Automotive Grade Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T19:45:29.901Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37526

cve-icon Vulnrichment

Updated: 2026-05-01T19:35:09.569Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T17:16:22.440

Modified: 2026-05-18T17:10:29.087

Link: CVE-2026-37526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:44:49Z

Weaknesses