AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Deb…

CVE-2026-37526 affects AGL app-framework-binder (afb-daemon) through version 19.90.0, allowing local processes to execute privileged supervision commands without authentication via an abstract Unix socket. The vulnerability exists in the on_supervision_call function which dispatches 8 commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without credential verification. Low-privileged local processes can exploit this to kill the daemon (DoS), execute arbitrary API calls, close user sessions, or leak configuration data. The abstract socket lacks DAC protection and the vulnerability was introduced in a 2017 commit.