Compliance Impact

The vulnerability in authd prior to version 0.6.4 can lead to local privilege escalation by incorrectly resetting a user's primary group ID to their user ID. This misconfiguration can cause files and directories to be owned by the wrong group, potentially granting unauthorized local users access to sensitive data.

Such unauthorized access and privilege escalation can impact the confidentiality, integrity, and availability of data, which are core principles in compliance frameworks like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could lead to violations of data protection requirements under these regulations by exposing sensitive information to unauthorized users or disrupting service availability.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-6970 is a high-severity vulnerability in the authd package versions 0.6.0 through before 0.6.4 caused by a logic error in the assignment of a user's primary group ID (GID). When a user's primary GID differs from their user ID (UID), either because the account was created with authd prior to version 0.5.4 or because the primary group was manually changed using the authctl utility, authd incorrectly resets the primary GID to the UID upon the user's next login if their identity provider record is updated.

This incorrect resetting causes newly created files and directories to be owned by the wrong group, which can lead to denial of service issues and potentially grant unintended access to other local users. This misconfiguration enables local privilege escalation by allowing attackers with low privileges to gain higher access through the incorrect group ownership.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a local attacker with low privileges to escalate their privileges on the affected system. Because the primary group ID is incorrectly reset to the user's UID, files and directories created by the user may be owned by the wrong group.

This misownership can cause denial of service issues and potentially grant unauthorized local users access to sensitive files, compromising confidentiality, integrity, and availability of data on the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by enumerating all authd users and comparing their current primary group ID (GID) with the correct GID from the group database. If there is a mismatch, it indicates the presence of the vulnerability.

A provided shell script (mentioned in the advisory) automates this process by checking each user's GID and resetting it if necessary.

Commands that can be used include:

• `authctl group set-gid` - to manually set the correct GID for a user.
• `getent passwd` and `getent group` - to inspect user and group records and verify if the primary GID matches expected values.
• `loginctl terminate-user <username>` - to terminate active sessions after remediation.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade authd to version 0.6.4 or later where the issue is fixed.

If upgrading is not immediately possible, run the provided shell script to:

• Enumerate all authd users and compare their current GID with the correct GID from the group database.
• Reset the GID using `authctl group set-gid` for users with mismatched GIDs.
• Recursively change file ownership in the user's home directory to the correct group.

After applying these changes, users must log out and log back in for the changes to take effect. Optionally, active sessions can be terminated using `loginctl terminate-user`.

Note that files outside home directories may require manual ownership correction.

Useful 0 Not Useful 0