CVE-2026-41045 - qSnapper polkit authentication TOCTOU bypass
CVE-2026-41045 - qSnapper polkit authentication TOCTOU bypass - High - 2026-06-22
Business risk: A local user can cross an authentication race and perform snapshot operations as root.
Root cause: Authorization is checked separately from the privileged snapshot operation, leaving mutable state between check and use.
Affected versions
- Vulnerable: qSnapper before 1.3.3.
- Fixed / safe target: Upgrade qSnapper to 1.3.3+ and bind authorization to the exact D-Bus action executed.
- CVSS: 8.1 (High)
Exact vulnerable code pattern
if (polkitAllowed(caller, "org.opensuse.qsnapper.modify")) {
auto config = request.configName();
snapperRootOperation(config, request.operation());
}
Fixed / mitigated code pattern
const auto action = actionFor(request.operation());
const auto subject = stableSubjectFromDbusMessage(message);
if (!polkitAllowed(subject, action) || requestChangedSinceAuthorization(message, request)) {
throw AuthorizationError(action);
}
snapperRootOperation(validatedConfigName(request.configName()), request.operation());
Step-by-step integration guide
- Upgrade qSnapper to 1.3.3+.
- Review wrappers for check-then-use authorization gaps.
- Regenerate base images or configuration-management locks.
- Add local privilege regression tests.
- Verify polkit logs show action-specific decisions.
Alternative mitigations
- Remove local qSnapper D-Bus access for untrusted users.
- Disable qSnapper GUI/service on shared hosts.
- Restrict snapper operations to an admin group.
Detection signature
rg -n "qSnapper|org.opensuse.qsnapper|snapper|polkit" . /etc/polkit-1/rules.d /usr/share/polkit-1/actions
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-41045: qSnapper polkit authentication TOCTOU bypass.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-41045 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, qsnapper, polkit, dbus, linux, privilege-escalation, enterprise_blocker, high
- Affected tech stack: linux/system
- Revenue tags: enterprise_blocker