Platform
linux
Component
cosmic-greeter
Fixed in
https://github.com/pop-os/cosmic-greeter/pull/426
CVE-2026-25704 describes a Time-of-check Time-of-use (TOCTOU) race condition vulnerability discovered in cosmic-greeter. An attacker can exploit this flaw to regain dropped privileges and abuse the racy checking logic, potentially leading to unauthorized access. This vulnerability affects versions of cosmic-greeter prior to the fix released in commit https://github.com/pop-os/cosmic-greeter/pull/426. The vulnerability was publicly disclosed on 2026-03-30.
The core of this vulnerability lies in a TOCTOU race condition within cosmic-greeter's privilege dropping mechanisms. An attacker could manipulate the system state between the time a privilege check is performed and the time the privilege is actually dropped. This allows them to bypass intended security controls and regain elevated privileges. Successful exploitation could enable an attacker to execute arbitrary code with the privileges of the greeter process, potentially compromising the user's session or gaining access to sensitive system resources. The impact is particularly concerning in environments where cosmic-greeter is used as a critical component of the login process.
CVE-2026-25704 is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not yet available, suggesting a relatively low probability of immediate widespread exploitation. However, the nature of TOCTOU vulnerabilities makes them attractive to attackers, and the potential for privilege escalation warrants careful attention. The vulnerability was disclosed on 2026-03-30.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25704 is to upgrade to the patched version of cosmic-greeter available in commit https://github.com/pop-os/cosmic-greeter/pull/426. This commit addresses the TOCTOU race condition by implementing more robust synchronization mechanisms to prevent the timing window for exploitation. If a direct upgrade is not immediately feasible, consider implementing stricter access controls and monitoring for suspicious activity related to the greeter process. While a WAF or proxy cannot directly mitigate this vulnerability, careful monitoring of system logs for unusual privilege escalation attempts is recommended.
Update cosmic-greeter to the version that includes the fix in https://github.com/pop-os/cosmic-greeter/pull/426. This correction addresses a TOCTOU race condition that allowed privilege recovery, mitigating the risk of abuse.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25704 describes a TOCTOU race condition in cosmic-greeter, allowing an attacker to regain dropped privileges. This vulnerability affects versions before commit https://github.com/pop-os/cosmic-greeter/pull/426.
You are affected if you are using a version of cosmic-greeter prior to commit https://github.com/pop-os/cosmic-greeter/pull/426. Check your version against the fixed version to determine your risk level.
Upgrade to the patched version of cosmic-greeter available in commit https://github.com/pop-os/cosmic-greeter/pull/426. This resolves the TOCTOU race condition.
There is currently no confirmed active exploitation of CVE-2026-25704, but the potential for privilege escalation warrants vigilance.
Refer to the Pop!_OS GitHub repository for updates and advisories related to cosmic-greeter: https://github.com/pop-os/cosmic-greeter
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.