CVE-2026-34397
Local Privilege Escalation in Himmelblau NSS Module via Naming Collision
Publication date: 2026-04-01
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| himmelblau-idm | himmelblau | From 2.0.0 (inc) to 2.3.9 (exc) |
| himmelblau-idm | himmelblau | From 3.0.0 (inc) to 3.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34397 is a local privilege escalation vulnerability in the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. It occurs in the NSS (Name Service Switch) module when there is a naming collision between a user's mapped CN/short name and a privileged local group name such as "sudo", "wheel", "docker", or "adm".
The vulnerability arises because the NSS module fails to apply a critical name-equality check during group lookups, allowing an authenticated user whose CN/short name exactly matches a privileged group name to have their fake primary group resolved as that privileged group. This can cause the system to treat the attacker as a member of that privileged group.
This issue affects Himmelblau versions from 2.0.0-alpha to before 2.3.9 and 3.0.0-alpha to before 3.1.1 and has been patched in versions 2.3.9 and 3.1.1.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-34397 vulnerability allows authenticated users to escalate privileges locally by exploiting a naming collision in the Himmelblau NSS module, potentially granting unauthorized root-equivalent access.
Such unauthorized privilege escalation can lead to unauthorized access to sensitive data or system controls, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive information.
However, the provided context and resources do not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to escalate their privileges on the affected system by gaining membership in privileged local groups such as "sudo" or "wheel".
If the system uses NSS results for group-based authorization decisions (for example, by sudo or polkit), the attacker can gain elevated privileges equivalent to those groups, potentially including root-level access.
The attack requires the attacker to have a CN/short name that exactly matches a privileged group name and the system to be configured with Himmelblau NSS enabled for group lookups.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a conditional local privilege escalation through a naming collision in the Himmelblau NSS module. Detection involves verifying if any authenticated user has a mapped CN/short name that exactly matches privileged local group names such as "sudo", "wheel", "docker", or "adm".
To detect potential exploitation or presence of this vulnerability on your system, you can check the following:
- List all local privileged groups (e.g., sudo, wheel, docker, adm) using: getent group sudo wheel docker adm
- Check if any authenticated Himmelblau users have CN/short names that exactly match these privileged group names.
- Verify the NSS configuration in /etc/nsswitch.conf to see if Himmelblau is used for group lookups.
- Review Himmelblau configuration (e.g., himmelblau.conf) to confirm if cn_name_mapping is enabled (true by default).
Since the vulnerability is related to NSS group name resolution, commands like the following may help identify suspicious group mappings or privilege escalations:
- getent group | grep -E 'sudo|wheel|docker|adm' # To list privileged groups and their members
- id <username> # To check group memberships of specific users
- grep himmelblau /etc/nsswitch.conf # To confirm Himmelblau NSS module usage
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-34397 focus on preventing the name collision exploitation in the Himmelblau NSS module.
- Upgrade Himmelblau to version 2.3.9 or later (including 3.1.1), where the vulnerability has been patched.
- Temporarily disable the cn_name_mapping option by setting cn_name_mapping = false in the Himmelblau configuration to prevent short-name-to-UPN mapping and avoid the collision.
- Configure NSS to prioritize local files (/etc/group) before Himmelblau for group lookups in /etc/nsswitch.conf to reduce risk, though this may vary by NSS implementation and application.
- Administrators should specify group names by Object ID GUID or GID rather than by name in authorization configurations to avoid ambiguity.
These steps help prevent attackers from exploiting the naming collision to escalate privileges until the patched versions are deployed.