Cyber Resilience

CVE-2026-37526

HighLPEUpdated

Published: 01 May 2026

Published
01 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 7.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-37526 is a high-severity Improper Access Control (CWE-284) vulnerability in Linuxfoundation Automotive Grade Linux. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-37526 is a local privilege escalation vulnerability in the AGL app-framework-binder (afb-daemon) through version v19.90.0. It stems from the on_supervision_call function in src/afb-supervision.c, which dispatches eight privileged supervision commands—Exit, Do, Sclose, Config, Trace, Debug, Token, and slist—without any credential verification. These commands are accessible via the abstract Unix socket @urn:AGL:afs:supervision:socket, which lacks discretionary access control (DAC) protection, as explicitly cautioned in src/afs-supervision.h. The flaw was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.

Any low-privileged local process can exploit this vulnerability due to the absence of authentication on the abstract socket. Successful exploitation enables denial of service by killing the daemon with the Exit command, execution of arbitrary API calls via the Do command, closure of arbitrary user sessions using the Sclose command, or leakage of the entire global configuration through the Config command. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts, and it maps to CWE-284 (Improper Access Control).

References point to the source code repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder and a disclosure gist at https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643. The CVE description does not detail specific patches or mitigations.

EU & UK References

Vulnerability details

AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without…

more

any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a local privilege escalation flaw allowing low-privileged processes to access privileged supervision commands (including arbitrary API execution and DoS) via an unauthenticated abstract Unix socket, directly matching Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-37525Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37531Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37532Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-37530Same product: Linuxfoundation Automotive Grade Linux
CVE-2026-23995Same vendor: Linuxfoundation
CVE-2026-22593Same vendor: Linuxfoundation
CVE-2026-48898Shared CWE-284
CVE-2026-25176Shared CWE-284
CVE-2026-48899Shared CWE-284
CVE-2024-56883Shared CWE-284

Affected Assets

linuxfoundation
automotive grade linux
≤ 17.1.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly preventing low-privileged local processes from executing privileged supervision commands via the unauthenticated Unix socket.

prevent

AC-6 enforces least privilege, ensuring low-privileged processes cannot access or execute high-privilege supervision commands like Exit, Do, or Config without authorization.

prevent

AC-25 mandates a reference monitor to mediate all access to the supervision socket, blocking unauthorized dispatch of privileged commands by unverified local processes.

References