DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-6970: CVE-2026-6970: Local Privilege Escalation via Improper GID Assignment in Canonical authd

#security #cve #cybersecurity

CVE-2026-6970: Local Privilege Escalation via Improper GID Assignment in Canonical authd

Vulnerability ID: CVE-2026-6970
CVSS Score: 7.3
Published: 2026-05-05

Canonical authd versions prior to 0.6.4 contain a local privilege escalation and denial of service vulnerability stemming from a logic error in primary group ID (GID) assignment. The daemon improperly overwrites intentional administrative GID configurations during identity provider synchronization events.

TL;DR

Canonical authd incorrectly overwrites custom user GIDs with their UID during identity syncs. This logic flaw permits local privilege escalation via group collision and causes denial of service through incorrect file ownership.

Technical Details

  • CVE ID: CVE-2026-6970
  • CVSS v4.0: 7.3 (High)
  • Attack Vector: Local (AV:L)
  • EPSS Score: 0.00015 (2.93%)
  • CWE ID: CWE-842
  • Impact: Local Privilege Escalation, Denial of Service
  • Exploit Status: None
  • KEV Status: Not Listed

Affected Systems

  • Canonical authd
  • authd: < 0.6.4 (Fixed in: 0.6.4)
  • authd: = 0.6.0 (Fixed in: 0.6.1ubuntu0.1)
  • authd: >= 0.6.1, < 0.6.1ubuntu0.1 (Fixed in: 0.6.1ubuntu0.1)

Code Analysis

Commit: 154b428

Fix GID assignment logic to preserve existing group IDs.

- userPrivateGroup.GID = &u.UID
+ if g.GID == nil {
+     if g == userPrivateGroup {
+         g.GID = &u.UID
+     } else {
+         newGroups = append(newGroups, *g)
+         continue
+     }
+ }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade authd to a patched release (0.6.4 upstream or 0.6.1ubuntu0.1 for Ubuntu).
  • Audit existing user database records to identify mismatched GID assignments.
  • Perform filesystem scans to correct ownership of files created under vulnerable daemon versions.

Remediation Steps:

  1. Execute apt update && apt upgrade authd to install the patched version.
  2. Run getent passwd and map intended group configurations against the current system state.
  3. Use authctl group set-gid to restore any custom GID assignments that were overwritten prior to patching.
  4. Execute find / -type f -uid <USER_UID> -gid <USER_UID> in shared directories to identify incorrectly owned files and run chgrp to restore appropriate group ownership.

References

Read the full report for CVE-2026-6970 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)