CVE-2026-37526 Linuxfoundation CVE debrief

Who should care

Teams operating Automotive Grade Linux systems, integrators shipping afb-daemon/app-framework-binder, and device maintainers who allow third-party or low-privilege local code on affected hosts should treat this as a priority. Security teams responsible for local hardening, service confinement, and package updates should also review it.

Technical summary

The supplied CVE text says on_supervision_call in src/afb-supervision.c dispatches eight supervision commands—Exit, Do, Sclose, Config, Trace, Debug, Token, and slist—without verifying caller credentials. The socket is an abstract Unix socket, so traditional DAC protections do not apply, and the source comment in src/afs-supervision.h reportedly acknowledges that limitation. In practice, a local process can invoke privileged supervision functions directly. The listed effects include daemon termination via Exit, arbitrary API calls via Do, closing user sessions via Sclose, and disclosure of the global configuration via Config. The source metadata also identifies CWE-284 and NVD currently reports a high-severity CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. This is a low-privilege local attack with broad impact on system availability, integrity, and confidentiality, and it affects a core daemon interface rather than a peripheral feature.

Recommended defensive actions

• Update or backport a fix that enforces authentication or capability checks before any supervision command is dispatched.
• Restrict who can run untrusted or third-party local processes on affected AGL systems until patched.
• Audit deployments for exposure of the afb-daemon supervision socket and confirm whether any local confinement controls are actually effective for this abstract socket.
• Monitor for unexpected supervision activity, especially daemon exits, session closures, configuration reads, or unusual API execution patterns.
• If you maintain a downstream fork, review the supervision dispatch path and add explicit authorization checks before command handling.

Evidence notes

The supplied CVE description states that all eight supervision commands are dispatched without credential verification through the abstract socket @urn:AGL:afs:supervision:socket, and that this socket lacks DAC protection. NVD metadata included in the source corpus marks the issue as analyzed, assigns CWE-284, and provides the CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. There is one scope discrepancy to note: the narrative description says afb-daemon is affected through v19.90.0, while the NVD CPE criteria in the source corpus currently list vulnerable Automotive Grade Linux versions through 17.1.12. The reference to the Gerrit repository is marked as broken, so the supplied gist advisory is the only usable non-NVD reference in the corpus.

Official resources