{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25704", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2026-02-05T15:37:24.184Z", "datePublished": "2026-03-30T07:44:39.672Z", "dateUpdated": "2026-04-16T16:32:11.153Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-03-30T07:44:39.672Z"}, "title": "Incomplete privilege drop for com.system76.CosmicGreeter.GetUserData", "datePublic": "2026-03-11T11:25:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-271", "description": "CWE-271: Privilege Dropping / Lowering Errors", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "affected": [{"vendor": "pop-os", "product": "cosmic-greeter", "packageName": "cosmic-greeter", "versions": [{"status": "affected", "version": "?", "lessThan": "https://github.com/pop-os/cosmic-greeter/pull/426", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in\u00a0 cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.\n\n\n\n\nThis issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in&nbsp; cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.</div><div><br></div><p>This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.</p>"}]}], "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25704"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.8, "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Matthias Gerstner of SUSE", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:15:22.499459Z", "id": "CVE-2026-25704", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:16:08.947Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-16T16:32:11.153Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/16/3"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-16T16:32:11.153Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25704", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:15:22.499459Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:15:57.804Z"}}], "cna": {"title": "Incomplete privilege drop for com.system76.CosmicGreeter.GetUserData", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Matthias Gerstner of SUSE"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "pop-os", "product": "cosmic-greeter", "versions": [{"status": "affected", "version": "?", "lessThan": "https://github.com/pop-os/cosmic-greeter/pull/426", "versionType": "git"}], "packageName": "cosmic-greeter", "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T11:25:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25704"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in\u00a0 cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.\n\n\n\n\nThis issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.", "supportingMedia": [{"type": "text/html", "value": "<div>A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in&nbsp; cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.</div><div><br></div><p>This issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-271", "description": "CWE-271: Privilege Dropping / Lowering Errors"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2026-03-30T07:44:39.672Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25704", "state": "PUBLISHED", "dateUpdated": "2026-04-16T16:32:11.153Z", "dateReserved": "2026-02-05T15:37:24.184Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2026-03-30T07:44:39.672Z", "assignerShortName": "suse"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Privilege Dropping / Lowering Errors/Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in\u00a0 cosmic-greeter can allow an attacker to regain privileges that should have been dropped and abuse them in the racy checking logic.\n\n\n\n\nThis issue affects cosmic-greeter before https://github.Com/pop-os/cosmic-greeter/pull/426."}, {"lang": "es", "value": "Una vulnerabilidad de condici\u00f3n de carrera de errores de eliminaci\u00f3n/reducci\u00f3n de privilegios/tiempo de verificaci\u00f3n, tiempo de uso (TOCTOU) en cosmic-greeter puede permitir a un atacante recuperar privilegios que deber\u00edan haber sido eliminados y abusar de ellos en la l\u00f3gica de verificaci\u00f3n propensa a condiciones de carrera.\n\nEste problema afecta a cosmic-greeter antes de https://github.Com/pop-os/cosmic-greeter/pull/426."}], "id": "CVE-2026-25704", "lastModified": "2026-04-16T17:16:54.590", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2026-03-30T08:16:16.990", "references": [{"source": "meissner@suse.de", "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2026-25704"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/16/3"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-271"}, {"lang": "en", "value": "CWE-367"}], "source": "meissner@suse.de", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,https://github.com/pop-os/cosmic-greeter/pull/426)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "cosmic-greeter", "source": "cna", "vendor": "pop-os"}, "product": "cosmic-greeter", "vendor": "pop-os"}], "analysis": {"en": {"generated_at": "2026-03-30T09:21:07.951725+00:00", "value": {"mitigation_remediation": ["Update cosmic-greeter to the latest stable release that includes pull request 426 or later.", "If an update is not immediately available, apply the patch from the referenced pull request manually to the source and rebuild the package.", "Restart the system or the greeter service to ensure the updated code is in use."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects Pop!_OS cosmic\u2011greeter versions prior to the merge of pull request 426 from the project\u2019s GitHub repository. All users running the base package of cosmic\u2011greeter without the patch are vulnerable. The patch is available via the referenced issue and PR and addresses the TOCTOU race in the GetUserData method of com.system76.CosmicGreeter.", "description_and_impact": "The vulnerability occurs in cosmic\u2011greeter during the user authentication process. A race condition between privilege dropping and subsequent checks allows an attacker to regain higher privileges that were intended to be relinquished. This results in privilege escalation, potentially enabling the attacker to gain unauthorized access to system resources. The flaw is categorized as an unauthorized privilege escalation (CWE\u2011271) combined with a time\u2011of\u2011check/time\u2011of\u2011use race (CWE\u2011367).", "risk_and_exploitability": "The CVSS base score is 5.8, reflecting moderate severity. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation is not yet observed. Nevertheless, the attack vector is inferred to be local; a user with the ability to influence the greeter\u2019s privilege\u2011dropping logic could trigger the race condition to elevate privileges. Because the exploit requires a race during startup, it may be challenging but remains a valid concern for systems requiring strict privilege separation."}}}}, "created": "2026-03-30T20:56:02.752006+00:00", "updated": "2026-03-31T20:41:11.001453+00:00", "vendors": ["pop-os", "pop-os$PRODUCT$cosmic-greeter"]}