Bug 2493580 (CVE-2026-57964) - CVE-2026-57964 spice-vdagent: Authentication bypass on macOS/BSD due to dummy session info
Summary: CVE-2026-57964 spice-vdagent: Authentication bypass on macOS/BSD due to dummy...
Keywords:
Status: NEW
Alias: CVE-2026-57964
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-26 15:36 UTC by OSIDB Bzimport
Modified: 2026-06-29 08:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-26 15:36:57 UTC
A vulnerability was found in spice-vdagent. On macOS and BSD platforms, the dummy-session-info.c:session_info_create() function unconditionally returns NULL because neither ConsoleKit nor systemd-logind exists. In vdagentd.c:agent_connect(), the entire UID/PID verification block is wrapped inside a conditional check on session_info. When session_info is NULL (always on macOS/BSD), zero authentication is performed. Any process that connects to the UDSCS socket is silently accepted as the daemon's trusted agent, allowing an unprivileged local user to become active_session_conn with no credential checks. This enables receiving all host-to-guest messages (clipboard data, file transfers, monitor config), injecting clipboard data to the SPICE host, intercepting file transfers, and preventing the legitimate agent from becoming active. Additionally, the check_uid_of_pid() function reads /proc/%u/status which does not exist on macOS/Darwin. On Linux with systemd-logind, the daemon logs "UID mismatch" but reportedly still processes commands from unauthorized connections.

Note: macOS/BSD is not a platform shipped by Red Hat, but the vulnerability exists in the upstream spice-vdagent codebase.


Note You need to log in before you can comment on or make changes to this bug.