Vulnerability Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Automotive Grade Linux | <= 17.1.12 |
Related Weaknesses (CWE)
References
- https://gerrit.automotivelinux.org/gerrit/src/app-framework-binderBroken Link
- https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643Third Party Advisory
FAQ
What is CVE-2026-37525?
CVE-2026-37525 is a vulnerability with a CVSS score of 7.8 (HIGH). AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly...
How severe is CVE-2026-37525?
CVE-2026-37525 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-37525?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Automotive Grade Linux.