CVE-2026-31979
Symlink Attack in Himmelblau Daemon Enables Local Privilege Escalation
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| himmelblau-idm | himmelblau | From 1.0.0 (inc) to 2.3.8 (exc) |
| himmelblau-idm | himmelblau | From 3.0.0 (inc) to 3.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31979 is a local privilege escalation vulnerability in the himmelblaud-tasks daemon, part of the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. The daemon runs as root on Linux systems and writes Kerberos credential cache files under /tmp/krb5cc_<uid> without protecting against symbolic link (symlink) attacks.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the daemon's systemd service explicitly removes the PrivateTmp sandboxing feature, exposing its /tmp directory to the host's shared /tmp. This allows a local attacker to create symlinks in /tmp that the daemon follows when creating directories or writing files."}, {'type': 'paragraph', 'content': 'Specifically, the daemon creates the ccache directory and changes ownership without checking if the path is a symlink, enabling an attacker to redirect ownership changes to arbitrary system directories. Additionally, files inside the ccache directory are opened and written without flags that prevent following symlinks, allowing overwriting of arbitrary files.'}, {'type': 'paragraph', 'content': 'By exploiting this, a local user can gain ownership of critical system files or directories, such as /etc, and modify sensitive files like /etc/passwd or /etc/sudoers, leading to full root privilege escalation.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows any local user on a Linux system running the vulnerable himmelblaud-tasks daemon to escalate their privileges to root.
An attacker can exploit symlink attacks to gain ownership of critical system directories or overwrite sensitive files, potentially leading to full system compromise.
- Local privilege escalation to root.
- Full system compromise by modifying critical files such as /etc/passwd, /etc/shadow, or /etc/sudoers.
- Potential disruption or takeover of authentication mechanisms relying on Kerberos credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the /tmp/krb5cc_* directories for suspicious symlinks and checking for unexpected ownership changes on sensitive directories such as /etc, /usr, and /var/lib.'}, {'type': 'list_item', 'content': 'Check for symlinks in /tmp/krb5cc_* directories using: ls -l /tmp/krb5cc_*'}, {'type': 'list_item', 'content': "Find symlinks specifically with: find /tmp -maxdepth 1 -name 'krb5cc_*' -type l -ls"}, {'type': 'list_item', 'content': 'Check ownership of critical directories for unexpected changes: ls -ld /etc /usr /var/lib'}, {'type': 'list_item', 'content': 'Use audit or inotify tools to monitor changes to these directories and files.'}, {'type': 'paragraph', 'content': 'Any detection of symlinks in the ccache directories or unexpected ownership changes should be treated as a potential compromise and trigger incident response.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation involves re-enabling the PrivateTmp sandboxing feature for the himmelblaud-tasks systemd service to isolate its /tmp directory from the host's shared /tmp."}, {'type': 'list_item', 'content': 'Create a systemd drop-in override file at /etc/systemd/system/himmelblaud-tasks.service.d/override.conf with the following content:'}, {'type': 'list_item', 'content': '[Service]\nPrivateTmp=true'}, {'type': 'list_item', 'content': 'Reload systemd and restart the himmelblaud-tasks service using: sudo systemctl daemon-reload && sudo systemctl restart himmelblaud-tasks'}, {'type': 'paragraph', 'content': "Note that this mitigation may cause regression in user-visible Kerberos ccache behavior, but it prevents the daemon from writing to the host's /tmp and thus blocks the symlink attack."}, {'type': 'paragraph', 'content': 'Additionally, upgrading himmelblau to patched versions 3.1.0 or 2.3.8 is recommended to fully fix the vulnerability.'}] [1]