Bug 2492256 (CVE-2026-58015)

Summary: CVE-2026-58015 glib: path traversal in glib/gio/gdbusauthmechanismsha1.c via keyring_lookup_entry and mechanism_client_data_receive
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kshier, rhel-process-autobot, stcannon, teagle, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494882, 2494884, 2494883    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-24 17:28:24 UTC
The GLib D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. The D-Bus specification explicitly states that cookie context names must not contain the characters /, \, . (period), spaces, or ASCII control characters. However, GLib's client-side code accepts this value verbatim and uses it to construct a filesystem path via g_build_filename(). A malicious D-Bus server can supply a cookie_context containing path traversal sequences such as ../.target_file, causing the client to read an arbitrary file outside the ~/.dbus-keyrings/ directory. The file contents (specifically the third space-separated token of the first matching line) are then incorporated into a SHA1 hash computation and sent back to the server as part of the authentication response. The server can verify guessed file contents against this SHA1 hash, enabling data exfiltration.