CVE-2026-37525: n/a
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
AI Analysis
Technical Summary
The vulnerability in AGL app-framework-binder (afb-daemon) through version 19.90.0 involves the on_supervision_call function explicitly setting the request credentials to NULL before invoking an attacker-controlled API call. This is done by calling afb_context_change_cred with a NULL parameter, which propagates through the codebase resulting in the credentials being zeroed out. Since the attacker controls the API and verb parameters via JSON input, they can execute any registered API with a NULL credential context. APIs that depend on context->credentials for authorization may fail open, enabling privilege escalation. This issue was introduced in a 2018 commit and has a CVSS 3.1 score of 7.8, indicating high impact on confidentiality, integrity, and availability with low attack complexity and no user interaction required.
Potential Impact
An attacker with low privileges can escalate their privileges by invoking any registered API with a NULL credential context due to the credentials being explicitly nullified before the API call. This can lead to unauthorized access and potentially full compromise of the affected system's confidentiality, integrity, and availability. The vulnerability affects all versions of AGL app-framework-binder up to 19.90.0. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been provided in the available data. Until a patch is available, restrict access to the affected AGL app-framework-binder daemon and monitor for suspicious API calls that could exploit this vulnerability.
CVE-2026-37525: n/a
Description
AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in AGL app-framework-binder (afb-daemon) through version 19.90.0 involves the on_supervision_call function explicitly setting the request credentials to NULL before invoking an attacker-controlled API call. This is done by calling afb_context_change_cred with a NULL parameter, which propagates through the codebase resulting in the credentials being zeroed out. Since the attacker controls the API and verb parameters via JSON input, they can execute any registered API with a NULL credential context. APIs that depend on context->credentials for authorization may fail open, enabling privilege escalation. This issue was introduced in a 2018 commit and has a CVSS 3.1 score of 7.8, indicating high impact on confidentiality, integrity, and availability with low attack complexity and no user interaction required.
Potential Impact
An attacker with low privileges can escalate their privileges by invoking any registered API with a NULL credential context due to the credentials being explicitly nullified before the API call. This can lead to unauthorized access and potentially full compromise of the affected system's confidentiality, integrity, and availability. The vulnerability affects all versions of AGL app-framework-binder up to 19.90.0. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround has been provided in the available data. Until a patch is available, restrict access to the affected AGL app-framework-binder daemon and monitor for suspicious API calls that could exploit this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-04-06T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f4d687cbff5d861013602a
Added to database: 5/1/2026, 4:36:23 PM
Last enriched: 5/1/2026, 4:51:56 PM
Last updated: 5/2/2026, 5:51:02 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.