CVE-2026-41045 - qSnapper polkit authentication TOCTOU bypass

CVE-2026-41045 - qSnapper polkit authentication TOCTOU bypass - High - 2026-06-22

Business risk: A local user can cross an authentication race and perform snapshot operations as root.

Root cause: Authorization is checked separately from the privileged snapshot operation, leaving mutable state between check and use.

Affected versions

  • Vulnerable: qSnapper before 1.3.3.
  • Fixed / safe target: Upgrade qSnapper to 1.3.3+ and bind authorization to the exact D-Bus action executed.
  • CVSS: 8.1 (High)

Exact vulnerable code pattern

if (polkitAllowed(caller, "org.opensuse.qsnapper.modify")) {
    auto config = request.configName();
    snapperRootOperation(config, request.operation());
}

Fixed / mitigated code pattern

const auto action = actionFor(request.operation());
const auto subject = stableSubjectFromDbusMessage(message);
if (!polkitAllowed(subject, action) || requestChangedSinceAuthorization(message, request)) {
    throw AuthorizationError(action);
}
snapperRootOperation(validatedConfigName(request.configName()), request.operation());

Step-by-step integration guide

  1. Upgrade qSnapper to 1.3.3+.
  2. Review wrappers for check-then-use authorization gaps.
  3. Regenerate base images or configuration-management locks.
  4. Add local privilege regression tests.
  5. Verify polkit logs show action-specific decisions.

Alternative mitigations

  • Remove local qSnapper D-Bus access for untrusted users.
  • Disable qSnapper GUI/service on shared hosts.
  • Restrict snapper operations to an admin group.

Detection signature

rg -n "qSnapper|org.opensuse.qsnapper|snapper|polkit" . /etc/polkit-1/rules.d /usr/share/polkit-1/actions

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-41045: qSnapper polkit authentication TOCTOU bypass.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-41045 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, qsnapper, polkit, dbus, linux, privilege-escalation, enterprise_blocker, high
  • Affected tech stack: linux/system
  • Revenue tags: enterprise_blocker

References