Bug 2496581 (CVE-2026-14476) - CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSysPath allows Kerberos authentication bypass
Summary: CVE-2026-14476 sssd: sssd: GPO cache path traversal via unsanitized gPCFileSy...
Keywords:
Status: NEW
Alias: CVE-2026-14476
Deadline: 2026-07-07
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2497650
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-02 15:32 UTC by OSIDB Bzimport
Modified: 2026-07-07 09:09 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-02 15:32:22 UTC
The ad_gpo_extract_smb_components() function in SSSD's AD GPO provider converts backslashes to forward slashes in the gPCFileSysPath LDAP attribute but does not sanitize .. path components. A differential between libsmbclient's path clamping (resolves .. at the share root) and the kernel's path resolution (resolves .. fully) allows an attacker with AD GPO management access to write files outside the GPO cache directory as root.

On SELinux-enforcing systems (the default on RHEL), the traversal can target /var/lib/sss/pubconf/krb5.include.d/ (labeled sssd_public_t), enabling Kerberos KDC redirection and authentication bypass. On SELinux-permissive or disabled systems, arbitrary file write as root is possible.


Note You need to log in before you can comment on or make changes to this bug.