CVE-2026-31979
CVE-2026-31979 is a high-severity local privilege escalation vulnerability in Himmelblau, an open-source Azure Entra ID authentication and Intune compliance suite for Linux. The vulnerability resides in the himmelblaud-tasks daemon which runs as root. The root cause traces to commit 87a51ee which removed PrivateTmp from the tasks daemon's systemd hardening, exposing it to the host's /tmp directory without symlink protections. Four compounding factors enable exploitation: PrivateTmp removal, directory creation following symlinks via DirBuilder without validation, file writes lacking O_NOFOLLOW flags, and an insecure hardcoded ccache path at /tmp/krb5cc_. An unprivileged local user can create a symbolic link at the ccache path pointing to /etc, causing the root-privileged daemon to chown /etc to the attacker, enabling full root access. Affects versions 1.0.0 through 3.0.1, patched in 3.1.0 and 2.3.8.
CVSS v3 vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-59, CWE-61