PatchSiren cyber security CVE debrief

CVE-2026-37525 Linuxfoundation CVE debrief

CVE-2026-37525 is a high-severity privilege-escalation issue in AGL app-framework-binder (afb-daemon). The supervision Do command path clears the request credentials before it dispatches an attacker-controlled API call, so the target API executes in a NULL-credential context. If downstream APIs make authorization decisions based on context->credentials and treat NULL as permissive or fail open, an attacker can reach functionality that should have been denied.

Vendor: Linuxfoundation
Product: Unknown
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-01
Original CVE updated: 2026-05-18
Advisory published: 2026-05-01
Advisory updated: 2026-05-18

Who should care

Automotive Linux/AGL maintainers, afb-daemon integrators, and teams that own APIs invoked through the supervision path should prioritize this issue. Security teams should also review any application logic that assumes NULL credentials are equivalent to authenticated or authorized access.

Technical summary

The CVE description states that on_supervision_call in src/afb-supervision.c explicitly calls afb_context_change_cred(&xreq->context, NULL) before invoking xapi->itf->call(xapi->closure, xreq). The metadata also describes the propagation chain through afb-context.c and afb-cred.c that preserves the NULL credential state. Because the api and verb parameters are attacker-controlled via JSON input, the caller can trigger execution of a chosen registered API under a NULL credential context. NVD classifies the issue as CWE-269 and records CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High for any deployment that exposes or relies on the supervision Do command. The issue requires local/privileged access according to NVD, but the impact can be severe if privileged APIs fail open when credentials are NULL.

Recommended defensive actions

Review and patch on_supervision_call so credentials are not cleared before dispatch, or so authorization is enforced explicitly before any API call is made.
Audit all APIs reachable from afb-daemon for NULL-credential handling and treat NULL as unauthorized by default unless a specific design requires otherwise.
Restrict access to the supervision Do command and any JSON paths that select api and verb values.
Validate the vendor's fixed versions or advisory guidance for AGL app-framework-binder and confirm your deployed release is not in the affected range.
Add logging and alerting for supervision calls that execute with NULL credentials or that invoke privileged APIs without an authenticated context.

Evidence notes

This debrief is based on the CVE description and NVD metadata supplied in the corpus. The NVD record says the vulnerability is analyzed, assigns CWE-269, and lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The source metadata also includes a broken Gerrit reference and a third-party gist reference; those were not needed as primary evidence. The corpus contains version-context differences: the textual description says the issue exists through v19.90.0, while the NVD CPE criteria marks linuxfoundation:automotive_grade_linux as vulnerable up to 17.1.12. Consumers should verify exact affected versions against upstream release and patch information.

Official resources

CVE-2026-37525 CVE record
CVE.org
CVE-2026-37525 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Broken Link
Mitigation or vendor reference
[email protected] - Third Party Advisory

CVE published: 2026-05-01T17:16:22.270Z; last modified: 2026-05-18T17:09:43.090Z.