CVE-2026-37525
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in AGL app-framework-binder

Publication date: 2026-05-01

Last updated on: 2026-05-18

Assigner: MITRE

Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-18
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-37525
EUVD
EUVD-2026-26681
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation automotive_grade_linux to 17.1.12 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the AGL app-framework-binder (afb-daemon) up to version 19.90.0 and involves a privilege escalation issue in the supervision Do command.

Specifically, the function on_supervision_call nullifies the request credentials before dispatching an API call controlled by the attacker. This means the credentials are set to NULL before the target API executes.

Because the attacker controls the API and verb parameters via JSON input, they can execute any registered API with a NULL credential context.

If the APIs rely on the credentials in the context for authorization, they may fail open when receiving NULL credentials, allowing the attacker to escalate privileges.

Impact Analysis

This vulnerability can allow an attacker with limited privileges to escalate their privileges by executing API calls without proper authorization checks.

Because the credentials are nullified before the API call, APIs that depend on these credentials for security may inadvertently grant higher access or perform sensitive actions.

The impact includes potential unauthorized access to sensitive data, modification of system settings, or disruption of services, as indicated by the high CVSS score (7.8) with high impact on confidentiality, integrity, and availability.

Compliance Impact

The vulnerability allows privilege escalation by enabling attacker-controlled API calls with NULL credential contexts, potentially bypassing authorization checks. This could lead to unauthorized access to sensitive data or system functions.

Such unauthorized access and privilege escalation may result in violations of common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart