Description

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

INFO

Published Date :

2024-11-26T15:21:13.518Z

Last Modified :

2025-11-08T03:14:13.425Z

Source :

redhat
AFFECTED PRODUCTS

The following products are affected by CVE-2024-52336 vulnerability.

Vendors Products
Redhat
  • Enterprise Linux
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-52336.

URL Resource
https://access.redhat.com/errata/RHSA-2024:10384 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:0879 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:0880 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2024-52336 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2324540 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-52336 cve-icon
https://security.opensuse.org/2024/11/26/tuned-instance-create.html cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-52336 cve-icon
https://www.openwall.com/lists/oss-security/2024/11/28/1 cve-icon cve-icon cve-icon
https://www.openwall.com/lists/oss-security/2024/11/28/2 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact