CVE-2026-4948
Unauthorized Runtime Firewall Modification via D-Bus in firewalld
Publication date: 2026-03-27
Last updated on: 2026-04-30
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| firewalld | firewalld | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-279 | While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows an unprivileged local user to make unauthorized changes to the firewall configuration.
Such unauthorized modifications can compromise system security by altering network security settings without proper authentication.
The severity of this issue is rated medium.
Can you explain this vulnerability to me?
CVE-2026-4948 is a vulnerability in firewalld where two runtime D-Bus setter methods, setZoneSettings2 and setPolicySettings, are improperly authorized.
These methods are only protected by the PK_ACTION_CONFIG_INFO permission, which is insufficient, allowing a local unprivileged user to modify the runtime firewall state without proper authentication.
Exploitation requires local access to a system running firewalld with the desktop profile enabled.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of the runtime firewall state via D-Bus setter methods setZoneSettings2 and setPolicySettings in firewalld. Detection would involve monitoring for unexpected changes to firewall configurations or unauthorized D-Bus method calls related to firewalld.
Specifically, you can check if the system is running firewalld version 2.4.0 or earlier, and if the desktop policy profile is enabled, as these conditions are required for exploitation.
Commands to help detect potential exploitation might include:
- Check firewalld version: `firewall-cmd --version`
- Check active firewalld zones and runtime settings: `firewall-cmd --list-all-zones` and `firewall-cmd --runtime-to-permanent`
- Monitor D-Bus calls related to firewalld, for example using `dbus-monitor` filtering for methods setZoneSettings2 and setPolicySettings.
- Review system logs for unauthorized changes or suspicious activity related to firewalld.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade firewalld to a version later than 2.4.0 where this vulnerability is fixed.
- Disable or restrict the desktop policy profile if it is not required, as the vulnerability requires this profile to be active.
- Limit local unprivileged user access to systems running firewalld with the desktop profile enabled.
- Monitor and audit firewall configuration changes to detect unauthorized modifications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a local unprivileged user to make unauthorized changes to the runtime firewall state without proper authentication. This can lead to compromised network security configurations.
Such unauthorized modifications to firewall settings could potentially impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls over system and network security to protect sensitive data.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.