CVE-2026-31979
Received Received - Intake
Symlink Attack in Himmelblau Daemon Enables Local Privilege Escalation

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: GitHub, Inc.

Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Prior to 3.1.0 and 2.3.8, the himmelblaud-tasks daemon, running as root, writes Kerberos cache files under /tmp/krb5cc_<uid> without symlink protections. Since commit 87a51ee, PrivateTmp is explicitly removed from the tasks daemon's systemd hardening, exposing it to the host /tmp. A local user can exploit this via symlink attacks to chown or overwrite arbitrary files, achieving local privilege escalation. This vulnerability is fixed in 3.1.0 and 2.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31979
EUVD
EUVD-2026-11332
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
himmelblau-idm himmelblau From 1.0.0 (inc) to 2.3.8 (exc)
himmelblau-idm himmelblau From 3.0.0 (inc) to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31979 is a local privilege escalation vulnerability in the himmelblaud-tasks daemon, part of the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. The daemon runs as root on Linux systems and writes Kerberos credential cache files under /tmp/krb5cc_<uid> without protecting against symbolic link (symlink) attacks.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the daemon's systemd service explicitly removes the PrivateTmp sandboxing feature, exposing its /tmp directory to the host's shared /tmp. This allows a local attacker to create symlinks in /tmp that the daemon follows when creating directories or writing files."}, {'type': 'paragraph', 'content': 'Specifically, the daemon creates the ccache directory and changes ownership without checking if the path is a symlink, enabling an attacker to redirect ownership changes to arbitrary system directories. Additionally, files inside the ccache directory are opened and written without flags that prevent following symlinks, allowing overwriting of arbitrary files.'}, {'type': 'paragraph', 'content': 'By exploiting this, a local user can gain ownership of critical system files or directories, such as /etc, and modify sensitive files like /etc/passwd or /etc/sudoers, leading to full root privilege escalation.'}] [1]

Impact Analysis

This vulnerability allows any local user on a Linux system running the vulnerable himmelblaud-tasks daemon to escalate their privileges to root.

An attacker can exploit symlink attacks to gain ownership of critical system directories or overwrite sensitive files, potentially leading to full system compromise.

  • Local privilege escalation to root.
  • Full system compromise by modifying critical files such as /etc/passwd, /etc/shadow, or /etc/sudoers.
  • Potential disruption or takeover of authentication mechanisms relying on Kerberos credentials.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the /tmp/krb5cc_* directories for suspicious symlinks and checking for unexpected ownership changes on sensitive directories such as /etc, /usr, and /var/lib.'}, {'type': 'list_item', 'content': 'Check for symlinks in /tmp/krb5cc_* directories using: ls -l /tmp/krb5cc_*'}, {'type': 'list_item', 'content': "Find symlinks specifically with: find /tmp -maxdepth 1 -name 'krb5cc_*' -type l -ls"}, {'type': 'list_item', 'content': 'Check ownership of critical directories for unexpected changes: ls -ld /etc /usr /var/lib'}, {'type': 'list_item', 'content': 'Use audit or inotify tools to monitor changes to these directories and files.'}, {'type': 'paragraph', 'content': 'Any detection of symlinks in the ccache directories or unexpected ownership changes should be treated as a potential compromise and trigger incident response.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation involves re-enabling the PrivateTmp sandboxing feature for the himmelblaud-tasks systemd service to isolate its /tmp directory from the host's shared /tmp."}, {'type': 'list_item', 'content': 'Create a systemd drop-in override file at /etc/systemd/system/himmelblaud-tasks.service.d/override.conf with the following content:'}, {'type': 'list_item', 'content': '[Service]\nPrivateTmp=true'}, {'type': 'list_item', 'content': 'Reload systemd and restart the himmelblaud-tasks service using: sudo systemctl daemon-reload && sudo systemctl restart himmelblaud-tasks'}, {'type': 'paragraph', 'content': "Note that this mitigation may cause regression in user-visible Kerberos ccache behavior, but it prevents the daemon from writing to the host's /tmp and thus blocks the symlink attack."}, {'type': 'paragraph', 'content': 'Additionally, upgrading himmelblau to patched versions 3.1.0 or 2.3.8 is recommended to fully fix the vulnerability.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart