CVE-2026-6245

EUVD-2026-23032

15.04.2026, 19:16

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Debian Releases

Debian Product

Codename

sssd

bookworm	2.8.2-4+deb12u1 fixed
bullseye	2.4.1-2 fixed
bullseye (security)	2.4.1-2+deb11u1 fixed
sid	vulnerable
trixie	no-dsa

Common Weakness Enumeration

CWE-805 - Buffer Access with Incorrect Length Value
The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.

References

https://access.redhat.com/security/cve/CVE-2026-6245

https://bugzilla.redhat.com/show_bug.cgi?id=2457954