{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4948", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-27T05:23:36.264Z", "datePublished": "2026-03-27T05:30:23.632Z", "dateUpdated": "2026-03-27T11:21:20.810Z"}, "containers": {"cna": {"title": "Firewalld: firewalld: local unprivileged user can modify firewall state due to d-bus setter mis-authorization", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firewalld", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firewalld", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firewalld", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "firewalld", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4948", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452086", "name": "RHBZ#2452086", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-03-27T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-279", "description": "Incorrect Execution-Assigned Permissions", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-279: Incorrect Execution-Assigned Permissions", "workarounds": [{"lang": "en", "value": "To mitigate this issue, ensure that the firewalld desktop policy is not active on systems where local unprivileged user access is a concern. If firewalld is not required, it can be disabled. Disabling firewalld may impact network services that rely on it.\n\nTo disable firewalld:\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld\n\nA system restart or service reload may be required for changes to take full effect."}], "timeline": [{"lang": "en", "time": "2026-03-27T04:44:51.806Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-27T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Asim Viladi Oglu Manizada for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-27T05:35:20.262Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T11:21:05.300360Z", "id": "CVE-2026-4948", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T11:21:20.810Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus (Desktop Bus) setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication, leading to unauthorized changes in network security configurations."}], "id": "CVE-2026-4948", "lastModified": "2026-03-27T06:16:39.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-03-27T06:16:39.543", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-4948"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452086"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-279"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T07:21:17.436293+00:00", "value": {"mitigation_remediation": ["Stop and disable firewalld service with systemctl.", "Ensure the firewalld desktop policy is not active on systems where local unprivileged user access is a concern.", "Reboot the system or reload the service to apply changes fully.", "Verify that firewall rules are intact and no unauthorized changes have occurred.", "Monitor system logs for any unexpected D\u2011Bus activity related to firewalld.", "Check Red\u00a0Hat advisories for a future patch and apply it when released."], "summary": {"action": "Apply workaround", "impact": "Unauthorized modification of firewall state"}, "threat_synthesis": {"affected_systems": "Affected products include Red\u00a0Hat Enterprise Linux\u00a07 through\u00a010 and Red\u00a0Hat OpenShift Container Platform\u00a04. All versions of the firewalld service shipped with these distributions are susceptible; no specific sub\u2011versions are listed.", "description_and_impact": "The vulnerability in firewalld occurs when two runtime D\u2011Bus setters, setZoneSettings2 and setPolicySettings, are mis\u2011authorized. A local unprivileged user can invoke these setters without proper authentication, allowing the user to change the firewall configuration at runtime. This leads to unauthorized changes in network security settings such as opening ports or altering zones, thereby undermining the protection intended by the firewall.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate impact. The exploit probability is not reported, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting a lower likelihood of widespread exploitation. The attack vector is local; an attacker must have an account on the host and may already have ordinary user privileges. Once the unprivileged user invokes the mis\u2011authorized D\u2011Bus calls, the firewall state can be altered immediately, potentially exposing services to the outside world or bypassing security policies."}}}}, "created": "2026-03-27T09:22:09.308205+00:00", "updated": "2026-03-27T09:22:09.308236+00:00", "vendors": []}