CVE-2026-37531 describes a critical vulnerability in Automotive Grade Linux app-framework-main through 17.1.12. The widget installation flow can extract ZIP entries before signature verification, and the filename validation only blocks absolute paths rather than dot-dot traversal sequences. As a result, crafted widget archives may write files outside the intended work directory, and those files can persis [truncated]
CVE-2026-37526 is a local authorization bypass in AGL app-framework-binder (afb-daemon) supervision handling. According to the supplied description, any local process can reach the abstract Unix socket @urn:AGL:afs:supervision:socket and invoke privileged supervision commands without authentication. The impact is broad: service shutdown, arbitrary API invocation, session control, configuration disclosure, [truncated]
CVE-2026-37525 is a high-severity privilege-escalation issue in AGL app-framework-binder (afb-daemon). The supervision Do command path clears the request credentials before it dispatches an attacker-controlled API call, so the target API executes in a NULL-credential context. If downstream APIs make authorization decisions based on context->credentials and treat NULL as permissive or fail open, an attacke [truncated]
