A local privilege escalation security vulnerability could allow attackers to gain root access on Ubuntu systems by exploiting a double-free memory corruption bug in GNOME's AccountsService component.
AccountsService is a D-Bus service that helps manipulate and query information attached to the user accounts available on a device.
The security flaw (a memory management bug tracked as
CVE-2021-3939) was accidentally spotted by GitHub security researcher Kevin Backhouse while testing an exploit demo for another AccountsService bug
that also made it possible to escalate privileges to root on vulnerable devices.
"AccountsService could be made to crash or run programs as an administrator if it received a specially crafted command," an Ubuntu security advisory
explains.