Control: tags -1 + confirmed On Mon, 2026-05-04 at 01:29 +0200, Michael Biebl wrote: > The security contacted me about > https://security-tracker.debian.org/tracker/CVE-2026-4948 > > A flaw was found in firewalld. A local unprivileged user can exploit > this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) > setters, setZoneSettings2 and setPolicySettings. This mis- > authorization allows the user to modify the runtime firewall state > without proper authentication, leading to unauthorized changes in > network security configurations. > > This only happens though, if the user uses the desktop policy shipped > by firewalld (the default is the more restrictive server policy).
Please go ahead. Regards, Adam
