[Pkg-sssd-devel] Bug#1134269: src:sssd: CVE-2026-6245: local DoS in PAM passkey responder
James Montgomery
james_montgomery at disroot.org
Sat Apr 18 16:03:15 BST 2026
Package: src:sssd
Version: 2.12.0-4
Severity: important
Tags: security
User: debian-security at lists.debian.org
Usertags: CVE-2026-6245
Dear Maintainer,
The following vulnerability was published for sssd.
CVE-2026-6245[1]:
| A flaw was found in the System Security Services Daemon (SSSD). The
| pam_passkey_child_read_data() function within the PAM passkey responder
| fails to properly handle raw bytes received from a pipe. Because the data
| is treated as a NUL-terminated C string without explicit termination, it
| results in an out-of-bounds read when processed by functions like
| snprintf(). A local attacker could potentially trigger this vulnerability
| by initiating a crafted passkey authentication request, causing the SSSD
| PAM responder to crash, resulting in a local Denial of Service (DoS).
Red Hat rates this as Moderate with CVSS 5.5
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and currently lists the
affected packages as "Fix deferred"[2].
I checked the current Debian unstable source package, 2.12.0-4, and the
PAM passkey responder still appears to contain the affected pattern in
src/responder/pam/pamsrv_passkey.c:
str = malloc(sizeof(char) * buf_len);
...
snprintf(str, buf_len, "%s", buf);
Upstream master appears to contain the same code at the time of filing,
and I was not able to find a public upstream issue, pull request, or fixing
commit for this CVE yet.
[1] https://www.cve.org/CVERecord?id=CVE-2026-6245
[2] https://access.redhat.com/security/cve/CVE-2026-6245
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2457954
Regards,
James
More information about the Pkg-sssd-devel
mailing list