CRITICAL🇵🇱 Wersja polska

CVE-2026-37531

CVSS 9.8v3.1pub. 2026-05-01upd. 2026-05-18

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently.

🤖 AI Analysis
How it works

The `is_valid_filename` function in the `wgtpkg-zip.c` file verifies ZIP archive entry names, but only blocks absolute paths — it does not check sequences containing dot notation (e.g., `../`). The `zread` function performs extraction using `openat(workdirfd, filename, O_CREAT)`, which resolves relative paths outside the working directory and enables files to be written anywhere on the system. The critical TOCTOU race condition lies in the `install_widget` function (in `wgtpkg-install.c`) where file extraction by `zread` occurs BEFORE signature verification by `check_all_signatures`. Even if signature verification fails, the cleanup procedure `remove_workdir` only removes files from the temporary directory — files written outside it via path traversal remain on the file system permanently.

Impact

An unauthenticated attacker can write arbitrary files to any location on the device's file system, which in practice enables permanent system takeover, privilege escalation, or malicious code injection — even if the supplied widget has an invalid signature.

Mitigation & patch

Apply patches available from the manufacturer according to the references. Temporarily restrict widget installation to trusted, authenticated sources and monitor the integrity of critical file system resources. It is recommended to monitor the project repository at https://gerrit.automotivelinux.org/gerrit/src/app-framework-main to obtain current fixes.

Who is affected

AGL app-framework-main in versions up to and including 17.1.12.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Linuxfoundation Automotive Grade Linux

    OS
    Linuxfoundation
    ≤ 17.1.12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalRace Condition
CWE
References

Related vulnerabilities

CVE-2026-37525HIGH7.8ten sam produkt

AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the su...

CVE-2026-37526HIGH7.8ten sam produkt

AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervis...

CVE-2026-37530HIGH7.5ten sam produkt

AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_dia...

CVE-2026-37532HIGH7.1ten sam produkt

AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_c...

CVE-2022-48363HIGH7.5ten sam produkt

In MPD before 0.23.8, as used on Automotive Grade Linux and other platforms, the PipeWire output plugin mishan...