CVE-2026-37525: High severity AGL app-framework-binder (afb-daemon) vulnerability
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The onsupervisioncall function in src/afb-supervision.c explicitly nullifies the request credentials by calling afbcontextchangecred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afbcredaddref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-37525?
CVE-2026-37525 is classified as a high severity privilege escalation vulnerability.
How do I fix CVE-2026-37525?
To mitigate CVE-2026-37525, update to a version of AGL app-framework-binder (afb-daemon) that is higher than v19.90.0.
What systems are affected by CVE-2026-37525?
CVE-2026-37525 affects AGL app-framework-binder (afb-daemon) versions up to and including v19.90.0.
What type of vulnerability is CVE-2026-37525?
CVE-2026-37525 is a privilege escalation vulnerability within the supervision Do command.
Who is the vendor for the software affected by CVE-2026-37525?
The vendor for the affected software is AGL (Automotive Grade Linux).