CVE-2026-41054
Privilege Escalation in Haveged Daemon via UNIX Socket
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: SUSE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| haveged | haveged | 1.9.21 |
| haveged | haveged | From 1.9.14 (inc) to 1.9.21 (exc) |
| haveged | haveged | 1.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41054 is a privilege escalation vulnerability in the haveged entropy daemon on Linux systems. The issue occurs in the socket_handler function, which checks the credentials of a user connecting to an abstract UNIX socket. Although the function detects if the user is not root and sends a negative acknowledgement, it fails to stop execution afterward. This allows any local unprivileged user to proceed and execute privileged commands such as MAGIC_CHROOT by interacting with the root-running daemon.
The root cause is that after detecting a non-root user, the code does not exit the function but continues to a switch statement that processes commands, enabling unauthorized command execution.
How can this vulnerability impact me? :
This vulnerability allows a local unprivileged user to escalate their privileges to root by exploiting the haveged daemon. Specifically, an attacker can send commands to the daemon through the abstract UNIX socket to perform privileged actions such as forcing the daemon to chroot into an attacker-controlled directory and then execute arbitrary code with root privileges.
The impact includes full system compromise by local attackers, as they can gain root access and execute arbitrary commands, potentially leading to complete control over the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves local unprivileged users exploiting the haveged daemon's abstract UNIX socket at \0/sys/entropy/haveged to execute privileged commands. Detection involves checking for unauthorized access or commands sent to this socket.
You can detect attempts to exploit this vulnerability by monitoring local socket connections to the abstract UNIX socket \0/sys/entropy/haveged and checking for unexpected commands or activity from non-root users.
Suggested commands include using tools like 'ss' or 'lsof' to inspect UNIX socket connections and 'auditd' or 'strace' to monitor system calls related to socket communication.
- ss -xl | grep haveged # Lists UNIX sockets related to haveged
- lsof -U | grep haveged # Shows open UNIX domain sockets by haveged
- auditctl -w /proc/*/fd -p rwxa -k haveged-socket # Audits file descriptor accesses, can be tuned to monitor socket usage
- strace -p <haveged_pid> -e trace=connect,sendto,recvfrom # Traces socket-related system calls of the haveged process
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade haveged to version 1.9.21 or later, where the vulnerability has been fixed by properly rejecting non-root connections to the command socket.
If upgrading immediately is not possible, restrict access to the abstract UNIX socket \0/sys/entropy/haveged to trusted users only, for example by adjusting permissions or using Linux security modules.
Consider disabling haveged if your system uses a modern Linux kernel with a robust built-in random number generator, as some resources suggest that entropy daemons may no longer be necessary.
- Upgrade haveged to version 1.9.21 or later.
- Restrict permissions or access controls on the haveged command socket.
- Disable haveged if your kernel RNG is sufficient for your needs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-41054 allows local unprivileged users to escalate privileges to root by exploiting a missing exit statement in a credential check within the haveged daemon. This privilege escalation can lead to unauthorized root access and arbitrary code execution.
Such unauthorized privilege escalation and potential root compromise can impact compliance with common security standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If an attacker gains root access, they could potentially access, modify, or exfiltrate sensitive information, violating confidentiality, integrity, and availability requirements mandated by these regulations.
Therefore, this vulnerability poses a significant risk to maintaining compliance with standards that mandate robust privilege separation and protection against unauthorized access.