High severity7.8NVD Advisory· Published Nov 26, 2024· Updated Apr 15, 2026
CVE-2024-52336
CVE-2024-52336
Description
A script injection vulnerability was identified in the Tuned package. The instance_create() D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with script_pre or script_post options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- access.redhat.com/errata/RHSA-2024:10384nvd
- access.redhat.com/errata/RHSA-2025:0879nvd
- access.redhat.com/errata/RHSA-2025:0880nvd
- access.redhat.com/security/cve/CVE-2024-52336nvd
- bugzilla.redhat.com/show_bug.cginvd
- security.opensuse.org/2024/11/26/tuned-instance-create.htmlnvd
- www.openwall.com/lists/oss-security/2024/11/28/1nvd
- www.openwall.com/lists/oss-security/2024/11/28/2nvd
News mentions
0No linked articles in our index yet.