CVE-2026-6245

NameCVE-2026-6245
DescriptionA flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1134269

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sssd (PTS)bullseye2.4.1-2vulnerable
bullseye (security)2.4.1-2+deb11u1vulnerable
bookworm2.8.2-4+deb12u1vulnerable
trixie2.10.1-2vulnerable
forky, sid2.12.0-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sssdsource(unstable)(unfixed)1134269

Notes

[trixie] - sssd <no-dsa> (Minor issue)
[bookworm] - sssd <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2457954
https://github.com/SSSD/sssd/pull/8622
Fixed by: https://github.com/SSSD/sssd/commit/550b08cabe4dd5508c7ea74f634869374204d63f (2.13.0)
Search for package or bug name: Reporting problems