CVE-2026-37526
Published: 01 May 2026
Summary
CVE-2026-37526 is a high-severity Improper Access Control (CWE-284) vulnerability in Linuxfoundation Automotive Grade Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-37526 is a local privilege escalation vulnerability in the AGL app-framework-binder (afb-daemon) through version v19.90.0. It stems from the on_supervision_call function in src/afb-supervision.c, which dispatches eight privileged supervision commands—Exit, Do, Sclose, Config, Trace, Debug, Token, and slist—without any credential verification. These commands are accessible via the abstract Unix socket @urn:AGL:afs:supervision:socket, which lacks discretionary access control (DAC) protection, as explicitly cautioned in src/afs-supervision.h. The flaw was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.
Any low-privileged local process can exploit this vulnerability due to the absence of authentication on the abstract socket. Successful exploitation enables denial of service by killing the daemon with the Exit command, execution of arbitrary API calls via the Do command, closure of arbitrary user sessions using the Sclose command, or leakage of the entire global configuration through the Config command. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts, and it maps to CWE-284 (Improper Access Control).
References point to the source code repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder and a disclosure gist at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643. The CVE description does not detail specific patches or mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26682
Vulnerability details
AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without…
more
any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local privilege escalation flaw allowing low-privileged processes to access privileged supervision commands (including arbitrary API execution and DoS) via an unauthenticated abstract Unix socket, directly matching Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to system resources, directly preventing low-privileged local processes from executing privileged supervision commands via the unauthenticated Unix socket.
AC-6 enforces least privilege, ensuring low-privileged processes cannot access or execute high-privilege supervision commands like Exit, Do, or Config without authorization.
AC-25 mandates a reference monitor to mediate all access to the supervision socket, blocking unauthorized dispatch of privileged commands by unverified local processes.