CVE-2015-3218
CVE-2015-3218 is a low-severity vulnerability in Polkit Project Polkit with a CVSS 2.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Low (CVSS 2.0 base score 2.1)
- EPSS exploit prediction: 0% (33rd percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Polkit Project Polkit
- Published:
- Last modified:
Description
The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.
Frequently asked questions
- What is CVE-2015-3218?
- The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.
- How severe is CVE-2015-3218?
- CVE-2015-3218 has a CVSS 2.0 base score of 2.1, rated low severity.
- Is CVE-2015-3218 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (33rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-3218?
- CVE-2015-3218 affects Polkit Project Polkit. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2015-3218?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2015-3218 published?
- CVE-2015-3218 was published on 2015-10-26 and last updated on 2026-06-17.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161721.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162294.html
- http://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html
- http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
- http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00010.html
- http://lists.opensuse.org/opensuse-updates/2015-11/msg00042.html
- http://www.securityfocus.com/bid/76086
- http://www.securitytracker.com/id/1035023
- https://usn.ubuntu.com/3717-1/
Affected products (1)
- cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*
More vulnerabilities in Polkit Project Polkit
- CVE-2018-19788 — High (CVSS 8.8): A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully…
- CVE-2021-3560 — High (CVSS 7.8): It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the…
- CVE-2021-4034 — High (CVSS 7.8): A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid…
- CVE-2013-4288 — High (CVSS 7.2): Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain…
- CVE-2019-6133 — Medium (CVSS 6.7): In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic,…
- CVE-2021-4115 — Medium (CVSS 5.5): There is a flaw in polkit which can allow an unprivileged user to cause polkit to crash, due to process file descriptor…