Login Sign Up

CVE-2021-26936

7.8 HIGH

📋 TL;DR

This vulnerability allows a local attacker to escalate privileges to root by manipulating video output paths in ReplaySorcery's default setuid-root configuration. It affects users running ReplaySorcery versions 0.4.0 through 0.5.0 with the default configuration. The attacker must have local access to the system.

💻 Affected Systems

Products:
  • ReplaySorcery
Versions: 0.4.0 through 0.5.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when using the default setuid-root configuration; other configurations may not be affected.

📦 What is this software?

Replaysorcery by Replaysorcery Project

View all CVEs affecting Replaysorcery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the system, allowing complete control, data theft, persistence, and lateral movement.

🟠

Likely Case

Local privilege escalation to root by authenticated users or attackers with initial access, leading to system compromise.

🟢

If Mitigated

No impact if the setuid-root configuration is disabled or the vulnerable version is not installed.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access, not directly exploitable over the network.
🏢 Internal Only: HIGH - Any local user or attacker with initial access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access and involves specifying malicious video output paths; details are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.1 and later

Vendor Advisory: https://github.com/matanui159/ReplaySorcery/releases

Restart Required: No

Instructions:

1. Update ReplaySorcery to version 0.5.1 or later. 2. Use package manager or download from GitHub releases. 3. Verify the update by checking the version.

🔧 Temporary Workarounds

Disable setuid-root configuration

linux

Remove setuid permissions from the replay-sorcery binary to prevent privilege escalation.

sudo chmod u-s /usr/bin/replay-sorcery

Restrict video output paths

linux

Configure ReplaySorcery to only allow video output in non-privileged directories.

Edit configuration files to set safe output paths; refer to ReplaySorcery documentation.

🧯 If You Can't Patch

  • Remove ReplaySorcery from affected systems entirely.
  • Restrict local user access to systems running vulnerable versions.

🔍 How to Verify

Check if Vulnerable:

Check if ReplaySorcery is installed and its version is between 0.4.0 and 0.5.0, and if the replay-sorcery binary has setuid permissions.

Check Version:

replay-sorcery --version

Verify Fix Applied:

Confirm ReplaySorcery version is 0.5.1 or later, and check that setuid permissions are not present or properly configured.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs (e.g., /var/log/auth.log)
  • Execution of replay-sorcery with suspicious output paths.

Network Indicators:

  • None - this is a local exploit with no network indicators.

SIEM Query:

Search for events where replay-sorcery is executed with setuid privileges or from unexpected users.

📊 Metadata

CVE ID: CVE-2021-26936
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
Published: February 10, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26936, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)