NIXPKGS-2026-0839

GitHub issue published on 31 Mar 2026

Permalink CVE-2026-4948

5.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

updated 11 hours ago by @mweinelt Activity log

Created automatic suggestion 3 days, 19 hours ago
@mweinelt removed package firewalld-gui 11 hours ago
@mweinelt accepted 11 hours ago
@mweinelt published on GitHub 11 hours ago

Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations.

References

https://access.redhat.com/security/cve/CVE-2026-4948 x_refsource_REDHAT vdb-entry
RHBZ#2452086 issue-tracking x_refsource_REDHAT

Affected products

rhcos

firewalld

Matching in nixpkgs

pkgs.firewalld

Firewall daemon with D-Bus interface

nixos-unstable 2.4.0
- nixpkgs-unstable 2.4.0
- nixos-unstable-small 2.4.0
nixos-25.11 2.4.0
- nixos-25.11-small 2.4.0
- nixpkgs-25.11-darwin 2.4.0

Ignored packages (1)

pkgs.firewalld-gui