Cyber Resilience

CVE-2026-37525

HighLPEUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37525 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Linuxfoundation Automotive Grade Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-37525 is a privilege escalation vulnerability in AGL app-framework-binder (afb-daemon) through version v19.90.0. The flaw occurs in the supervision Do command, specifically within the on_supervision_call function in src/afb-supervision.c, which explicitly nullifies request credentials via afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call through xapi->itf->call(xapi->closure, xreq). This NULL credential propagation, confirmed through afb-context.c:110 and afb-cred.c:163, results in APIs executing with a zeroed credential context. Attackers control the api and verb parameters via JSON input, allowing invocation of any registered API without credentials; APIs relying on context->credentials for authorization may fail open, enabling escalation. The issue, tied to CWE-269 (Improper Privilege Management), was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

A local attacker with low privileges (PR:L) can exploit this with low attack complexity (AC:L), no user interaction (UI:N), and local access (AV:L), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) for a CVSS v3.1 base score of 7.8 in an unchanged scope (S:U). By crafting JSON input to specify arbitrary api and verb values, the attacker triggers execution of privileged APIs under a NULL credential context, bypassing checks that assume valid credentials and facilitating privilege escalation from low-privilege access.

References include the AGL app-framework-binder Gerrit repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder and a Gist with analysis at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643, which may provide further details on patches or mitigations.

EU & UK References

Vulnerability details

AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL…

more

propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a local privilege escalation vulnerability (CWE-269) in afb-daemon that allows bypassing credential checks via NULL propagation in supervision API calls, directly enabling T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37526Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37531Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37532Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37530Same product: Linuxfoundation Automotive Grade Linux
CVE-2024-53349Same vendor: Linuxfoundation
CVE-2026-23995Same vendor: Linuxfoundation
CVE-2026-22593Same vendor: Linuxfoundation
CVE-2025-36640Shared CWE-269
CVE-2026-29124Shared CWE-269
CVE-2026-21533Shared CWE-269

Affected Assets

linuxfoundation
automotive grade linux
≤ 17.1.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires a reference monitor mechanism in afb-daemon to mediate and enforce access control policies on all dispatched API calls, preventing null credential propagation and privilege escalation.

prevent

Mandates enforcement of approved authorizations for logical access to APIs, blocking execution of attacker-controlled verbs under nullified credentials.

prevent

Enforces least privilege principle to limit the impact of escalated access even if APIs fail open on NULL credentials.

References