Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <agxXF1J53iSJIrP6@suse.de>
Date: Tue, 19 May 2026 12:27:03 +0000
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: Fixed: local root exploit in haveged, fixed in 1.9.21, CVE-2026-41054

Hi,

If you are using haveged, todays release fixes a local root exploit.

https://github.com/jirka-h/haveged/releases

Release 1.9.21 — Security fix for CVE-2026-41054

Fix privilege escalation via command socket (CVE-2026-41054) - the uid
check sent a NAK to non-root callers but did not exit the function,
allowing unprivileged local users to send commands to the root-running
daemon via the abstract UNIX socket.

Problem was found by Gemini Pro, operated by Dirk Mueller of SUSE.

https://bugzilla.suse.com/show_bug.cgi?id=1264086

The bug was added in 1.9.3.

Ciao, Marcus
-- 
Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security
SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, HRB 36809, AG Nuernberg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.