authd, Local Privilege Escalation, CVE-2026-6970 (High)

By /

Listen to this Post

How CVE-2026-6970 Works

The flaw exists in authd versions prior to 0.6.4 due to a logic error in primary group ID assignment. When a user’s primary group ID (GID) differs from their user ID (UID)—either because the account was created with authd < 0.5.4 (Released June 2025) or because the primary group was manually changed via the `authctl group set-gid` command—the system mishandles the user’s identity provider record update. If any user information changes in the identity provider, the next login triggers authd to incorrectly reset the user’s primary group ID to their UID instead of preserving the correct GID. Consequently, the user is placed into the wrong group, causing newly created files and directories to be owned by the incorrect group. This can lead to denial of service, unintended access by other local users, and local privilege escalation.

DailyCVE Form

Platform: Authd
Version: 0.6.0
Vulnerability: Incorrect GID assignment
Severity: High
Date: 2026-04-27

Prediction: 2026-05-11

Analytics under What Undercode Say

Identify affected authd users
authd_users=$(getent passwd --service authd | cut -d: -f1)
Loop through each user to check and fix GID mismatch
for user in $authd_users; do
OLD_GID=$(id -g "$user")
GID=$(getent group "$user" | cut -d: -f3)
if [ -z "$GID" ]; then
echo "Warning: Could not determine GID for $user, skipping" >&2
continue
fi
if [ "$OLD_GID" = "$GID" ]; then
continue
fi
USER_HOME=$(getent passwd "$user" | cut -d: -f6)
echo "Fixing $user: Resetting GID from $OLD_GID to $GID"
sudo authctl group set-gid "$user" "$OLD_GID"
sudo authctl group set-gid "$user" "$GID"
sudo chown -R --from=":$OLD_GID" ":$GID" "$USER_HOME"
done

Exploit

An attacker with local access could:

  1. Identify a user whose GID differs from their UID (e.g., users created before authd 0.5.4).
  2. Trigger a change in the user’s identity provider record to force a login update.
  3. During the next login, authd incorrectly sets the user’s primary GID to their UID, causing the user to be assigned to the wrong group.
  4. The attacker could then create files or directories that inherit the incorrect group ownership, potentially gaining unauthorized access to sensitive data or escalating privileges to other groups.

Protection

  • Immediate Action: Upgrade authd to version 0.6.4 or later, which contains the official fix (canonical/authd@154b428).
  • Workaround: For affected users, run the provided script to reset the primary GID and correct file ownership. After applying the fix, users must log out and back in (or terminate their session with sudo loginctl terminate-user "$user").
  • Verification: Use `id` and `groups` to ensure the correct primary GID is applied.

Impact

  • Local Privilege Escalation: An attacker can gain unintended access to files and directories owned by other local users.
  • Denial of Service: Misconfigured group ownership can prevent legitimate users from accessing their own resources.
  • Data Leakage: Sensitive files created by affected users become accessible to other local users, leading to potential data breaches.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top