Missing Authentication Check Enforcement in Privileged Socket Handler

CVE-2026-41054 is an authentication bypass vulnerability in haveged's socket handler that allows unprivileged local users to execute privileged commands. The `socket_handler` function in `src/havegecmd.c` checks whether a connecting user is root, but critically fails to enforce the result—it prepares a negative acknowledgement (ASCII_NAK) yet continues execution into the command processing switch statement. This means any local user can bypass the credential check and invoke sensitive operations like `MAGIC_CHROOT`, effectively escalating their privileges. The vulnerability affects systems running vulnerable haveged versions and is particularly concerning in multi-tenant or shared-access environments where local privilege escalation can lead to full system compromise.

While MITRE ATT&CK techniques are not formally mapped to this CVE, Casky's security skills—powered by Claude AI's extended reasoning—would detect the underlying attack pattern as a violation of access control enforcement (CWE-305). Practitioners using Casky would identify this as a local privilege escalation attempt through improper authentication validation. The platform's 754 mapped security skills would flag the anomalous behavior of unprivileged processes successfully invoking privileged socket commands, surface the root cause (missing return/exit statement after credential rejection), and correlate it with typical privilege escalation reconnaissance patterns. Security teams would see findings highlighting the gap between authentication decision and execution boundary, helping them prioritize patching and implement compensating controls like capability restrictions or AppArmor profiles before the vulnerability is weaponized.