CVE-2026-14476

NameCVE-2026-14476
DescriptionA path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sssd (PTS)bullseye2.4.1-2vulnerable
bullseye (security)2.4.1-2+deb11u1vulnerable
bookworm2.8.2-4+deb12u1vulnerable
trixie2.10.1-2vulnerable
sid2.12.0-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sssdsource(unstable)(unfixed)

Notes

[trixie] - sssd <no-dsa> (Minor issue)
https://github.com/SSSD/sssd/pull/8896
Fixed by: https://github.com/SSSD/sssd/commit/ba207eab76ff5253662a763b9b6e9ea42f03d31b (master)
Fixed by: https://github.com/SSSD/sssd/commit/3c1a31ab668b1ed7b97eb72d915a4187e549d86c (sssd-2-12 branch)
Fixed by: https://github.com/SSSD/sssd/commit/ef5c2f9a34cba9e7e2791be13de2cb1443918976 (sssd-2-10 branch)
Fixed by: https://github.com/SSSD/sssd/commit/91017d89f44da47ae16c140e94a5bcafc43badb5 (sssd-2-9 branch)

Search for package or bug name: Reporting problems