#1137096 haveged: CVE-2026-41054: missing exit out of permission check could lead to root exploit #1137096
- Package:
- src:haveged
- Source:
- src:haveged
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-05-22 22:35:05 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for haveged. CVE-2026-41054[0]: | haveged: missing exit out of permission check could lead to root | exploit If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41054 https://www.cve.org/CVERecord?id=CVE-2026-41054 [1] https://www.openwall.com/lists/oss-security/2026/05/19/3 [2] https://bugzilla.suse.com/show_bug.cgi?id=1264086 Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
haveged, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated haveged package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 19 May 2026 16:54:30 +0200
Source: haveged
Architecture: source
Version: 1.9.21-1
Distribution: sid
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Closes: 1137096
Changes:
haveged (1.9.21-1) sid; urgency=high
.
* Merging upstream version 1.9.21:
- Fix privilege escalation via command socket [CVE-2026-41054] - the uid
check sent a NAK to non-root callers but did not exit the function,
allowing unprivileged local users to send commands to the root-running
daemon via the abstract UNIX socket (Closes: #1137096).
Checksums-Sha1:
e90ef94a7802554688146f3274f03dd2480766d8 1509 haveged_1.9.21-1.dsc
ebd86b20b035d490e31a6acc05da2cf12fe0b0a2 355196 haveged_1.9.21.orig.tar.xz
f8f809acdbf5ea880450a65f85c215c7076a0381 12216 haveged_1.9.21-1.debian.tar.xz
eb69e44655198db872bdf333e7ced2fda8a508ea 6341 haveged_1.9.21-1_amd64.buildinfo
Checksums-Sha256:
833a9d42ec98b07f8bcf341cf81c62c59114089d22a8ff79fe08dc84a646cf9a 1509 haveged_1.9.21-1.dsc
0262ac81b1666a0d5c18de430056cfa7abfb23176f8c2296b9616548e73d7903 355196 haveged_1.9.21.orig.tar.xz
839b2aec7e78b3431936b10b4cba18f6e72ec1e418d7202fd2e9cc38b1cddf63 12216 haveged_1.9.21-1.debian.tar.xz
ddfbf77e86930dd1489cb4c55dd31d4c330a7802fa336557fe061a6c0e99d5fb 6341 haveged_1.9.21-1_amd64.buildinfo
Files:
78d5f7de80ce661c6e6e99bf149d840b 1509 misc optional haveged_1.9.21-1.dsc
b8b08eb9ab61f7c4f31bb5563e26dc94 355196 misc optional haveged_1.9.21.orig.tar.xz
122ef0e6a2c0304c20d2b7fda64b72ca 12216 misc optional haveged_1.9.21-1.debian.tar.xz
80b630faa63be0534fb7008fd530cc68 6341 misc optional haveged_1.9.21-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQQmmGg4gLaoSj0ERgL7tPDoCoAiLwUCagx6KwAKCRD7tPDoCoAi
L+kmAQC510bhDALByPBhXpCrs57dbP5X+4N0qiSJMPwkYEwXmgD/VvDf3UmJBoSu
q1+Ez6JdOIgGqJsjcpQyR/ZT3BruNwU=
=9ZMr
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
haveged, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated haveged package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 14:51:39 +0200
Source: haveged
Architecture: source
Version: 1.9.19-12+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Daniel Baumann <daniel@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1137096
Changes:
haveged (1.9.19-12+deb13u1) trixie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix privilege escalation via command socket (CVE-2026-41054)
(Closes: #1137096)
* Check peer credentials before reading command (CVE-2026-41054)
Checksums-Sha1:
f00b08ec8c784a1ac0d67a5314ca37cce47cc04b 2337 haveged_1.9.19-12+deb13u1.dsc
c285864c1f8370c8241938d8221decae93538850 352280 haveged_1.9.19.orig.tar.xz
2623274bef330574c78e3159b9571bebc138f92e 13492 haveged_1.9.19-12+deb13u1.debian.tar.xz
9a3a8a39b255fbff35ef65b765b6d3449601b9a9 6196 haveged_1.9.19-12+deb13u1_source.buildinfo
Checksums-Sha256:
85609fd424a85d5c2d31c7032c71177ede82999c7ad6e0c0260af385346dc967 2337 haveged_1.9.19-12+deb13u1.dsc
792b28a5318f73cc5f6558d026641aaaa1f5b6af778492db8841d08d64508755 352280 haveged_1.9.19.orig.tar.xz
f1fc7d5cab6989eb0749f3bd8479e72124d598292743413f39288fb86ea8ff65 13492 haveged_1.9.19-12+deb13u1.debian.tar.xz
80a35948b8e8409e4c8560690cab24794ee97259ea1719111cefcd2a788cfb44 6196 haveged_1.9.19-12+deb13u1_source.buildinfo
Files:
5455dce578d40071e5d919783b8c30ab 2337 misc optional haveged_1.9.19-12+deb13u1.dsc
cb087580515ba90d7821bd4b05739ce8 352280 misc optional haveged_1.9.19.orig.tar.xz
e97f5b76c0df5f7d2ccd5cd89fd1eee5 13492 misc optional haveged_1.9.19-12+deb13u1.debian.tar.xz
c481e3c14424219924a568a9b4c63de3 6196 misc optional haveged_1.9.19-12+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoQYGRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EL28P+gIBmpdunnFhjCajcptq2v3g8QSlrbTR
jMl/ilQPc7f4lkcnp47a/SwOFe/HhcRLkj9fsEQ/j1SVECOyWEoWt2yyrqxKqeuu
UhIg81Dsa+6ykcgxgBl1USiz2vrkp+nwxZNSeM2uoe2OoIgtGa6+hWpCLIV4orUN
IcgGgwT0MT0DEKqosqZ0WLED8r/qCemfd8327fgUWqpvEYN1+NCD08QD6Pr0D9hd
aNl63UCQQTMMn6fL+jX05Ons3/pWFViSF6zElz7/Y08wzIne/niE47Jjeh9ABHdZ
d1HrIFH652kRzrldxgZuqxUl9ZEa8zbnNsXp1cDNkvZoaeKrRVvtpdAUPVKWHeyh
Gz39nBXE8pVHd8OYu6dGIGRpsJm2gcFLb9cFfFSwnJw64+dPUfDOpLWAyerkrbE0
0osTB9Uj2ah8OHlLaLd75dfGC6HnDTfQzNrdOp0Q2IwvKHMBTu8qG13VVOX/N1Nx
07QLJC2L4+mEoVSadD+vOPwmFEJHjA0YLbjxf79vmBD1PVnDG2G2yG3zoqTZd5Bc
LZwDvG6nQw4F+Nh8hrjNae8ngrLNJa30SzRz0EO8s718OIsBd5CF9zKcrfZ2/f8q
oYpT3MEgRjEWS+4AAHnaxDJvQYpUD9b4cwT827mSXu0iG6xLMW76bMBjpWwrrtOO
6NG7OBj4MGZN
=RpaQ
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
haveged, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1137096@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated haveged package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 22 May 2026 14:56:30 +0200
Source: haveged
Architecture: source
Version: 1.9.14-1+deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Jérémy Bobbio <lunar@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1137096
Changes:
haveged (1.9.14-1+deb12u1) bookworm-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix privilege escalation via command socket (CVE-2026-41054)
(Closes: #1137096)
* Check peer credentials before reading command (CVE-2026-41054)
Checksums-Sha1:
332c3546c3f43ac727077d21b5e26952df54b2a8 2335 haveged_1.9.14-1+deb12u1.dsc
66571ee9273dbb6152e829790753a0bbfdb95e71 496346 haveged_1.9.14.orig.tar.gz
62d93609c5542bdc8b64b8f62bebbf0b1eb51840 13032 haveged_1.9.14-1+deb12u1.debian.tar.xz
444adcfc52a8b1e410c7eb51aba8cabad774d9e9 6192 haveged_1.9.14-1+deb12u1_source.buildinfo
Checksums-Sha256:
6978f6939adb5766336126b2045a1c5c514d7ad7f63eeff7af9f039316f2b3a5 2335 haveged_1.9.14-1+deb12u1.dsc
938cb494bcad7e4f24e61eb50fab4aa0acbc3240c80f3ad5c6cf7e6e922618c3 496346 haveged_1.9.14.orig.tar.gz
a9a0dc7f96557608060146edc0db861fa0153caaa9fa6d010114ed67feea639b 13032 haveged_1.9.14-1+deb12u1.debian.tar.xz
88b2efd2f46090581529c36be60e959af556df81138e357af9eb540b63a7b58f 6192 haveged_1.9.14-1+deb12u1_source.buildinfo
Files:
0398b7965118318553abd03e38403f28 2335 misc optional haveged_1.9.14-1+deb12u1.dsc
f756474201bec9a46b41e8712f79468a 496346 misc optional haveged_1.9.14.orig.tar.gz
4e2d3497c8ed47e7bc7b1ccc48b8e676 13032 misc optional haveged_1.9.14-1+deb12u1.debian.tar.xz
95557509d7916cf3cafd9b5efa0a9d14 6192 misc optional haveged_1.9.14-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoQYJFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EB9cQAIkrAMVNub76crvjAOp+r4Pym5MEWpgi
HUVRSYn/oFz3/eLTkuogR5ndwVpZRiOEW7qOV0USoIE2feQA6JgjXbuphsrEKoDQ
Dn5+nY8DCqQ/H7EVU8FOSyDvtxDJRonXFZ0FYVfY64GlnbAFSME4AQLNgKCWIySY
7WS9Wsr89+6tcqvOw3al56a0nOTd/RfOlfqRh6xdJ7UFMCy8fSsyEgbBzv0jx7+N
uky6yxEjChCu7AoHZU7Mn83PpvRmMhyxLPsmbSykLh5EYIubp5ZP4v0+mPV/wbro
iqONjqJRs63x1Xk43CDrxvvt9usKLVbsH7k4pU9zaFhIvfVbM+eiXWMuRt0aBwZL
9rI4gbVBmnUcWcOmA8TykFe7LJqMEriFVendsNtu9cRFh9m1cZ89jHVQOZdxtWhs
n9SJJRTsoq3Pxm5kGww+qFWAMqOL3LIkmwJlvnn48UMFMaJq9wLdhtpj4O+5bnzQ
Isszgdf+DCpx7aNzIlif5zJi3tHjMAGQQWeUgERxg7ftKCH6NM/MR7m3+TE1W+x7
hzDIOMhHYkL+tOIAyucdAiArTZkc4US+k07hFr62VAzbnzV0zLC2Ngul7tmtuJxD
WZ4xJUyvyY++iMzFocRxOwnR6N3V+bkOnWRjJ5dpaOZ8iPd5D6Yziamp7A3ABc0F
dxJa8ZdUkxWJ
=vywp
-----END PGP SIGNATURE-----