CVE-2026-4948
Received Received - Intake
Unauthorized Runtime Firewall Modification via D-Bus in firewalld

Publication date: 2026-03-27

Last updated on: 2026-04-30

Assigner: Red Hat, Inc.

Description
A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4948
EUVD
EUVD-2026-16557
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
firewalld firewalld to 2.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-279 While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an unprivileged local user to make unauthorized changes to the firewall configuration.

Such unauthorized modifications can compromise system security by altering network security settings without proper authentication.

The severity of this issue is rated medium.

Executive Summary

CVE-2026-4948 is a vulnerability in firewalld where two runtime D-Bus setter methods, setZoneSettings2 and setPolicySettings, are improperly authorized.

These methods are only protected by the PK_ACTION_CONFIG_INFO permission, which is insufficient, allowing a local unprivileged user to modify the runtime firewall state without proper authentication.

Exploitation requires local access to a system running firewalld with the desktop profile enabled.

Detection Guidance

This vulnerability involves unauthorized modification of the runtime firewall state via D-Bus setter methods setZoneSettings2 and setPolicySettings in firewalld. Detection would involve monitoring for unexpected changes to firewall configurations or unauthorized D-Bus method calls related to firewalld.

Specifically, you can check if the system is running firewalld version 2.4.0 or earlier, and if the desktop policy profile is enabled, as these conditions are required for exploitation.

Commands to help detect potential exploitation might include:

  • Check firewalld version: `firewall-cmd --version`
  • Check active firewalld zones and runtime settings: `firewall-cmd --list-all-zones` and `firewall-cmd --runtime-to-permanent`
  • Monitor D-Bus calls related to firewalld, for example using `dbus-monitor` filtering for methods setZoneSettings2 and setPolicySettings.
  • Review system logs for unauthorized changes or suspicious activity related to firewalld.
Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade firewalld to a version later than 2.4.0 where this vulnerability is fixed.
  • Disable or restrict the desktop policy profile if it is not required, as the vulnerability requires this profile to be active.
  • Limit local unprivileged user access to systems running firewalld with the desktop profile enabled.
  • Monitor and audit firewall configuration changes to detect unauthorized modifications.
Compliance Impact

The vulnerability allows a local unprivileged user to make unauthorized changes to the runtime firewall state without proper authentication. This can lead to compromised network security configurations.

Such unauthorized modifications to firewall settings could potentially impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls over system and network security to protect sensitive data.

However, the provided information does not explicitly describe the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4948. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart