CVE-2026-41054

Daily digests

The haveged daemon checks whether a connecting user on its UNIX socket is root, but if the check fails it doesn't actually stop processing the request. Any local unprivileged user can send privileged commands (like MAGIC_CHROOT) to the haveged socket and have them executed. This is a classic "check but don't enforce" bug.

• Daily Digest · May 20, 2026

  389 DS denial-of-service + Keycloak session hijack