CVE-2026-41054 SUSE CVE debrief

Who should care

System administrators, distro maintainers, and anyone deploying the affected service/component should care, especially on multi-user systems where local users can reach the UNIX socket. Because the reported impact is local privilege escalation, hosts that expose the command socket to non-root users are the primary concern.

Technical summary

The supplied description says socket_handler in src/havegecmd.c performs a credential check on an abstract UNIX socket, detects uid != 0, and prepares ASCII_NAK, but does not return or otherwise halt processing. As a result, the function still reaches the command switch and can process privileged operations. The NVD vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which is consistent with a local escalation path. NVD also assigns CWE-305.

Defensive priority

High

Recommended defensive actions

• Apply vendor or downstream updates that include a fix for the authorization flow.
• Verify the non-root path exits immediately after a failed credential check; do not rely on a negative acknowledgement alone.
• Restrict access to the affected UNIX socket or disable the service if that is operationally feasible until patched.
• Review local service permissions and packaging to confirm unprivileged users cannot invoke privileged socket commands.
• Monitor vendor advisories and downstream package trackers for clarified product attribution and remediation guidance.

Evidence notes

This debrief is based only on the supplied NVD record and the linked official reference URLs. The NVD description explicitly states the credential-check/continue-execution flaw in src/havegecmd.c and the potential to reach privileged commands such as MAGIC_CHROOT. The record also supplies CVSS 3.1 AV:L/PR:L and CWE-305, and lists the issue as Awaiting Analysis. Vendor/product attribution in the supplied corpus is not fully resolved, so the summary avoids naming a specific product beyond the component path described in the source text.

Official resources