A local privilege escalation security vulnerability could allow attackers to gain root access on Ubuntu systems by exploiting a double-free memory corruption bug in GNOME’s D-Bus service, AccountsService component.
Tracked as CVE-2021-3939 was accidentally spotted by Researcher while testing an exploit demo for another AccountsService bug that also made it possible to escalate privileges to root on vulnerable devices.
AccountsService could be made to crash or run programs as an administrator if it received a specially crafted command. This affects only Ubuntu’s fork of AccountsService. Versions impacted by this vulnerability include Ubuntu 21.10, Ubuntu 21.04, and Ubuntu 20.04 LTS.
This privilege escalation flaw was fixed by Canonical in November when AccountsService versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1 were released.