Vulnerability Description
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2024:10384
- https://access.redhat.com/errata/RHSA-2025:0879
- https://access.redhat.com/errata/RHSA-2025:0880
- https://access.redhat.com/security/cve/CVE-2024-52336
- https://bugzilla.redhat.com/show_bug.cgi?id=2324540
- https://security.opensuse.org/2024/11/26/tuned-instance-create.html
- https://www.openwall.com/lists/oss-security/2024/11/28/1
- https://security.opensuse.org/2024/11/26/tuned-instance-create.html
- https://www.openwall.com/lists/oss-security/2024/11/28/2
FAQ
What is CVE-2024-52336?
CVE-2024-52336 is a vulnerability with a CVSS score of 7.8 (HIGH). A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local n...
How severe is CVE-2024-52336?
CVE-2024-52336 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52336?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.