Firezone logo light
← All security advisories

Linux GUI Client IPC accepts any local process

Advisory ID
FZ-2026-002
Affected component
Linux GUI Client
Affected version(s)
< 1.5.13
Fixed version(s)
1.5.13
Published

Summary

The Linux Firezone tunnel service exposes a Unix domain socket that the GUI uses for IPC. Prior to 1.5.13, the service authorized peers on this socket only by group membership (firezone-client). Because the desktop user belongs to that group, any process that user ran could connect to the socket and drive the privileged tunnel service — start or stop the tunnel, change the Client's connection settings (including the account and the control-plane and authentication URLs), and read session state.

Impact

An unprivileged local process running as the same desktop user could connect to the tunnel service's IPC socket and control the privileged (root) tunnel without any elevation prompt: disconnect or start the VPN, alter the Client's configuration, or steer it toward attacker-controlled infrastructure. The attacker only needs to run code in the user's session.

Who is affected

Linux GUI Clients prior to 1.5.13. The Linux headless Client is not affected — it does not expose or use this GUI ↔ tunnel IPC socket.

Note that after upgrading, full enforcement requires Linux kernel 6.5 or newer. The fix relies on SO_PEERPIDFD to identify the connecting peer without a race; that syscall is only available on kernels 6.5+. On older kernels the service cannot verify the peer and continues to accept the connection (logging at the debug level that enforcement is unavailable), so those systems remain exposed even on 1.5.13. Upgrade the kernel to 6.5 or later for the protection to take effect.

Remediation

Upgrade to Linux GUI Client 1.5.13 or later, and run kernel 6.5+.

1.5.13 verifies the connecting peer's executable via SO_PEERPIDFD and only accepts connections from the packaged GUI binary at /usr/bin/firezone-client-gui, dropping all other connections.

Workarounds

There is no configuration-level workaround. Until you can upgrade (and run a 6.5+ kernel), reduce exposure by keeping untrusted software out of the desktop user's session, since any process running as that user can drive the tunnel.

Credits

Found by Oneleet, our SOC 2 compliance vendor, during routine penetration testing of the Firezone product.