Executive Summary

CVE-2026-6245 is a vulnerability in the System Security Services Daemon (SSSD) related to an out-of-bounds read error.

The flaw exists in the function pam_passkey_child_read_data() within the PAM passkey responder component of SSSD. This function improperly handles raw byte data received from a pipe by treating it as a NUL-terminated C string without ensuring explicit termination.

As a result, when functions such as snprintf() process this data, they may read beyond the intended buffer boundaries, causing an out-of-bounds read.

A local attacker can exploit this vulnerability by crafting a malicious passkey authentication request, which triggers the flaw and causes the SSSD PAM responder to crash.

This leads to a local Denial of Service (DoS) condition.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by a local attacker to cause the System Security Services Daemon (SSSD) PAM responder to crash.

The impact of this crash is a local Denial of Service (DoS), which means legitimate users may be unable to authenticate or use services relying on SSSD during the crash.

Since the vulnerability requires local access and results in a DoS without compromising confidentiality or integrity, the impact is limited to availability disruption.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability is triggered by a crafted passkey authentication request causing the SSSD PAM responder to crash locally. Detection involves monitoring for crashes or abnormal behavior of the sssd daemon related to PAM passkey authentication.

You can check system logs for crash reports or errors related to sssd or PAM authentication failures.

• Use journalctl to review recent sssd service logs: sudo journalctl -u sssd
• Check for core dumps or crash messages related to sssd in /var/log/messages or /var/log/syslog.
• Monitor PAM authentication logs for unusual passkey authentication failures: sudo grep pam_passkey /var/log/auth.log

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the System Security Services Daemon (SSSD) to a version where the flaw in pam_passkey_child_read_data() is fixed.

Until a patch is applied, restrict local user access to prevent untrusted users from initiating crafted passkey authentication requests that could trigger the crash.

Additionally, monitor the sssd service for crashes and restart it promptly if it stops.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in CVE-2026-6245 causes a local Denial of Service (DoS) by crashing the System Security Services Daemon (SSSD) PAM responder through an out-of-bounds read. It does not involve unauthorized access, data leakage, or modification of data.

Because the vulnerability results only in a DoS condition without compromising confidentiality or integrity, it does not directly impact compliance with data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and security.

However, any service disruption caused by the DoS could indirectly affect availability requirements under these regulations, depending on the affected environment and criticality of the service.

Useful 0 Not Useful 0