Cyber Posture

CVE-2026-37525

HighLPE

Published: 01 May 2026

Published
01 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37525 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Automotivelinux (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-25 Reference Monitor good match
prevent

Requires a reference monitor mechanism in afb-daemon to mediate and enforce access control policies on all dispatched API calls, preventing null credential propagation and privilege escalation.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved authorizations for logical access to APIs, blocking execution of attacker-controlled verbs under nullified credentials.

AC-6 Least Privilege partial match
prevent

Enforces least privilege principle to limit the impact of escalated access even if APIs fail open on NULL credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The CVE describes a local privilege escalation vulnerability (CWE-269) in afb-daemon that allows bypassing credential checks via NULL propagation in supervision API calls, directly enabling T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL…

more

propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

Deeper analysisAI

CVE-2026-37525 is a privilege escalation vulnerability in AGL app-framework-binder (afb-daemon) through version v19.90.0. The flaw occurs in the supervision Do command, specifically within the on_supervision_call function in src/afb-supervision.c, which explicitly nullifies request credentials via afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call through xapi->itf->call(xapi->closure, xreq). This NULL credential propagation, confirmed through afb-context.c:110 and afb-cred.c:163, results in APIs executing with a zeroed credential context. Attackers control the api and verb parameters via JSON input, allowing invocation of any registered API without credentials; APIs relying on context->credentials for authorization may fail open, enabling escalation. The issue, tied to CWE-269 (Improper Privilege Management), was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

A local attacker with low privileges (PR:L) can exploit this with low attack complexity (AC:L), no user interaction (UI:N), and local access (AV:L), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) for a CVSS v3.1 base score of 7.8 in an unchanged scope (S:U). By crafting JSON input to specify arbitrary api and verb values, the attacker triggers execution of privileged APIs under a NULL credential context, bypassing checks that assume valid credentials and facilitating privilege escalation from low-privilege access.

References include the AGL app-framework-binder Gerrit repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder and a Gist with analysis at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643, which may provide further details on patches or mitigations.

Details

CWE(s)
CWE-269

Affected Products

Automotivelinux
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-2777Shared CWE-269
CVE-2025-48613Shared CWE-269
CVE-2026-35595Shared CWE-269
CVE-2025-64487Shared CWE-269
CVE-2025-67905Shared CWE-269
CVE-2024-13376Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2025-37186Shared CWE-269
CVE-2026-24510Shared CWE-269
CVE-2026-23896Shared CWE-269

References