CVE-2026-41054
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in Haveged Daemon via UNIX Socket

Publication date: 2026-05-20

Last updated on: 2026-06-05

Assigner: SUSE

Description
In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-06-05
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-41054
EUVD
EUVD-2026-31076
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
haveged haveged 1.9.21
haveged haveged From 1.9.14 (inc) to 1.9.21 (exc)
haveged haveged 1.9.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-305 The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41054 is a privilege escalation vulnerability in the haveged entropy daemon on Linux systems. The issue occurs in the socket_handler function, which checks the credentials of a user connecting to an abstract UNIX socket. Although the function detects if the user is not root and sends a negative acknowledgement, it fails to stop execution afterward. This allows any local unprivileged user to proceed and execute privileged commands such as MAGIC_CHROOT by interacting with the root-running daemon.

The root cause is that after detecting a non-root user, the code does not exit the function but continues to a switch statement that processes commands, enabling unauthorized command execution.

Impact Analysis

This vulnerability allows a local unprivileged user to escalate their privileges to root by exploiting the haveged daemon. Specifically, an attacker can send commands to the daemon through the abstract UNIX socket to perform privileged actions such as forcing the daemon to chroot into an attacker-controlled directory and then execute arbitrary code with root privileges.

The impact includes full system compromise by local attackers, as they can gain root access and execute arbitrary commands, potentially leading to complete control over the affected system.

Detection Guidance

This vulnerability involves local unprivileged users exploiting the haveged daemon's abstract UNIX socket at \0/sys/entropy/haveged to execute privileged commands. Detection involves checking for unauthorized access or commands sent to this socket.

You can detect attempts to exploit this vulnerability by monitoring local socket connections to the abstract UNIX socket \0/sys/entropy/haveged and checking for unexpected commands or activity from non-root users.

Suggested commands include using tools like 'ss' or 'lsof' to inspect UNIX socket connections and 'auditd' or 'strace' to monitor system calls related to socket communication.

  • ss -xl | grep haveged # Lists UNIX sockets related to haveged
  • lsof -U | grep haveged # Shows open UNIX domain sockets by haveged
  • auditctl -w /proc/*/fd -p rwxa -k haveged-socket # Audits file descriptor accesses, can be tuned to monitor socket usage
  • strace -p <haveged_pid> -e trace=connect,sendto,recvfrom # Traces socket-related system calls of the haveged process
Mitigation Strategies

The primary mitigation is to upgrade haveged to version 1.9.21 or later, where the vulnerability has been fixed by properly rejecting non-root connections to the command socket.

If upgrading immediately is not possible, restrict access to the abstract UNIX socket \0/sys/entropy/haveged to trusted users only, for example by adjusting permissions or using Linux security modules.

Consider disabling haveged if your system uses a modern Linux kernel with a robust built-in random number generator, as some resources suggest that entropy daemons may no longer be necessary.

  • Upgrade haveged to version 1.9.21 or later.
  • Restrict permissions or access controls on the haveged command socket.
  • Disable haveged if your kernel RNG is sufficient for your needs.
Compliance Impact

The vulnerability CVE-2026-41054 allows local unprivileged users to escalate privileges to root by exploiting a missing exit statement in a credential check within the haveged daemon. This privilege escalation can lead to unauthorized root access and arbitrary code execution.

Such unauthorized privilege escalation and potential root compromise can impact compliance with common security standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If an attacker gains root access, they could potentially access, modify, or exfiltrate sensitive information, violating confidentiality, integrity, and availability requirements mandated by these regulations.

Therefore, this vulnerability poses a significant risk to maintaining compliance with standards that mandate robust privilege separation and protection against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart