CVE-2026-37525 Overview
CVE-2026-37525 is a privilege escalation vulnerability in the Automotive Grade Linux (AGL) app-framework-binder (also known as afb-daemon) through version 19.90.0. The flaw resides in the supervision Do command handler, which strips request credentials before dispatching attacker-controlled API calls. An authenticated local attacker can invoke any registered API with a NULL credential context, bypassing authorization checks that rely on context->credentials. The defect was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14 and is tracked under [CWE-269] Improper Privilege Management.
Critical Impact
A local attacker with supervision access can execute any registered API call with NULL credentials, enabling privilege escalation across services that authorize requests based on caller credentials.
Affected Products
- AGL app-framework-binder (afb-daemon) versions through v19.90.0
- Automotive Grade Linux distributions integrating vulnerable afb-daemon builds
- Downstream services and APIs registered with the binder relying on credential-based authorization
Discovery Timeline
- 2026-05-01 - CVE-2026-37525 published to the National Vulnerability Database (NVD)
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-37525
Vulnerability Analysis
The vulnerability lives in the binder's supervision interface, which exposes a Do command for diagnostic and administrative API invocation. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching the call through xapi->itf->call(xapi->closure, xreq). The attacker controls both the api and verb parameters via JSON input, so any registered API can be invoked through this path.
The NULL value propagates through the credential subsystem deterministically. In afb-context.c:110, the code assigns context->credentials = afb_cred_addref(NULL), and afb-cred.c:163 returns NULL when its argument is NULL. The target API therefore executes with a zeroed credential context. APIs that consult context->credentials for authorization decisions may fail open when the structure is NULL, allowing a low-privileged caller to reach privileged verbs.
Root Cause
The root cause is an Improper Privilege Management defect [CWE-269]. The supervision channel intentionally clears credentials to mark calls as system-originated, but downstream APIs treat a missing credential as either trusted or unchecked. There is no central enforcement that rejects calls with NULL credentials, so the trust boundary between supervision and tenant APIs collapses.
Attack Vector
Exploitation requires local access to the supervision socket with low privileges and no user interaction. The attacker sends a JSON Do request specifying an arbitrary api and verb. The binder strips credentials and forwards the call. Any registered verb that gates behavior on context->credentials may execute as if invoked by a privileged caller, yielding confidentiality, integrity, and availability impact on the host service. See the AGL app-framework-binder repository and the public code snippet for the affected source paths.
Detection Methods for CVE-2026-37525
Indicators of Compromise
- Supervision socket activity invoking the Do command with unexpected api or verb JSON fields targeting privileged endpoints.
- Audit log entries showing API calls executed with empty or NULL credential identifiers when the calling process is not the system supervisor.
- Unusual child processes or configuration changes initiated by afb-daemon shortly after supervision channel access.
Detection Strategies
- Instrument afb-daemon to log every supervision Do invocation with caller PID, UID, and the requested api/verb pair, then alert on any call originating from non-supervisor principals.
- Add wrapper authorization checks in registered APIs that explicitly reject requests where context->credentials is NULL outside expected internal flows.
- Correlate supervision channel access with subsequent privileged API verb usage to surface the credential-stripping pattern characteristic of CVE-2026-37525.
Monitoring Recommendations
- Monitor access controls on the supervision UNIX socket and alert on connections from unexpected user accounts or containers.
- Forward afb-daemon and systemd journal logs to a central analytics platform and build queries that flag NULL-credential API invocations.
- Track file integrity of src/afb-supervision.c, afb-context.c, and afb-cred.c artifacts to ensure deployed binaries match patched releases.
How to Mitigate CVE-2026-37525
Immediate Actions Required
- Restrict access to the afb-daemon supervision socket to trusted system accounts only, using filesystem permissions and service sandboxing.
- Disable or compile out the supervision Do command on production targets where it is not operationally required.
- Audit all registered APIs for handlers that fail open when context->credentials is NULL and add explicit NULL checks that deny the request.
Patch Information
No fixed version is listed in the NVD entry at the time of publication. Track upstream fixes through the AGL app-framework-binder Gerrit repository and apply vendor patches once released. Until then, treat all builds through v19.90.0 as vulnerable.
Workarounds
- Replace the credential-clearing call in on_supervision_call with a controlled supervisor credential rather than NULL when local patching is feasible.
- Enforce mandatory access control (SMACK or SELinux) policies that prevent unprivileged users from connecting to the supervision endpoint.
- Require explicit authorization checks in every registered API verb so NULL credentials are rejected by default.
# Configuration example: restrict supervision socket access via systemd
# /etc/systemd/system/afb-daemon.service.d/override.conf
[Service]
UMask=0077
RuntimeDirectoryMode=0700
# Limit which users can reach the supervision socket
SocketMode=0600
SocketUser=root
SocketGroup=root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
