CVE-2018-16267: The system-popup system service in Tizen allows an unprivileged process to perform popup-related system actions, due to improper D-Bus security policy...

Description

The system-popup system service in Tizen allows an unprivileged process to perform popup-related system actions, due to improper D-Bus security policy configurations. Such actions include the triggering system poweroff menu, and prompting a popup with arbitrary strings. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Probability

0.68%

47.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-269

Affected Software

Vendor	Product	Versions	Update
Linux	Tizen	1.0	—
Linux	Tizen	2.0	—
Linux	Tizen	2.1	—
Linux	Tizen	2.2	—
Linux	Tizen	2.2.1	—
Linux	Tizen	2.3	—
Linux	Tizen	2.3.1	—
Linux	Tizen	2.4	—
Linux	Tizen	3.0	—
Linux	Tizen	4.0	M1
Linux	Tizen	5.0	—

References

Timeline

Published: Jan 22, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-16267?

The system-popup system service in Tizen allows an unprivileged process to perform popup-related system actions, due to improper D-Bus security policy configurations. Such actions include the triggering system poweroff menu, and prompting a popup with arbitrary strings. This affects Tizen before 5.0 M1, and Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.

How severe is CVE-2018-16267?

CVE-2018-16267 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 0.68% probability of exploitation in the next 30 days.

How do I fix CVE-2018-16267?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.