CVE-2026-41054: Local Privilege Escalation in haveged
The National Vulnerability Database has disclosed CVE-2026-41054, a critical vulnerability in the haveged entropy generation daemon. The socket_handler function in src/havegedcmd.c incorrectly handles credential checks. While it identifies non-root users attempting to connect to the abstract UNIX socket (\0/sys/entropy/haveged), it fails to terminate the connection. This oversight allows any unprivileged local user to proceed and execute privileged commands, such as MAGIC_CHROOT, bypassing intended security controls.
This flaw, rated HIGH with a CVSS score of 7.8, exposes systems to significant risk. An attacker with initial local access, even without administrative privileges, can leverage this vulnerability to gain elevated system control. The National Vulnerability Database notes this vulnerability falls under CWE-305, focusing on incorrect identification or validation of sensitive information. Affected products were not specified, but any system running a vulnerable version of haveged is potentially at risk.
What This Means For You
- If your environment uses the haveged service, you need to verify if it's running and what version is deployed. Audit systems for any unauthorized privilege escalation attempts or unexpected execution of sensitive commands. Prioritize patching or disabling haveged if it's not strictly necessary for your entropy needs, especially on systems where local user access cannot be fully trusted.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41054: Unprivileged User Executing haveged Commands
title: CVE-2026-41054: Unprivileged User Executing haveged Commands
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
Detects an unprivileged user attempting to execute privileged commands via the haveged utility, specifically targeting the vulnerability described in CVE-2026-41054. The vulnerability allows local unprivileged users to execute privileged commands like MAGIC_CHROOT by exploiting a flaw in the socket_handler function's credential check.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41054/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- '/usr/sbin/haveged'
CommandLine|contains:
- 'MAGIC_CHROOT'
User|ne:
- 'root'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41054 | Vulnerability | CVE-2026-41054 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...