Privilege Escalation in AGL app-framework-binder Affected by Local Process Exploit
CVE-2026-37526

7.8HIGH

Key Information:

Vendor: Automotive Linux Foundation
Status: app-framework-binder
Vendor: CVE Published:; 1 May 2026

🔔 Create Automotive Linux Foundation Vulnerability Alert

What is CVE-2026-37526?

The app-framework-binder from AGL allows any local process to execute privileged commands via an unauthenticated abstract Unix socket. This vulnerability permits attackers with low privileges to perform various destructive actions, including terminating the daemon or retrieving sensitive configuration details. The lack of credential verification in the on_supervision_call function poses significant risks for system integrity and confidentiality. This flaw was introduced in a commit from June 2017 and remains a critical point of concern for users of the affected versions.

References

https://gerrit.automotivelinux.org/gerrit/src/app-framewo...

https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-37526 Data

JSON