VYPR
← All advisories
High severity7.0NVD Advisory· Published Jul 16, 2024· Updated Apr 15, 2026

CVE-2024-6655

CVE-2024-6655

Description

A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-6655 allows library injection into GTK-2/GTK-3 applications via the current working directory when a GTK module is missing from standard paths.

Vulnerability

CVE-2024-6655 is a flaw in the GTK library (both GTK-2 and GTK-3) that permits a library to be injected into a GTK application from the current working directory (CWD) [4]. The bug occurs when a GTK module is requested but is not found in the standard library paths; under these conditions, the system may load a library from the CWD, enabling arbitrary code execution [3][4].

Exploitation

To exploit this vulnerability, an attacker must place a malicious library (e.g., a shared object) in the CWD of a GTK-based application that attempts to load a missing module [4]. The attack does not require authentication but does require the victim to run the application from a directory where the attacker can write or plant files. No special network position is needed, as local file access is sufficient [3].

Impact

If successful, an attacker can inject and execute arbitrary code within the context of the vulnerable GTK application, potentially leading to full system compromise or privilege escalation depending on the application's permissions [4]. The impact is rated as High with a CVSS v3 score of 7.0 [1][2].

Mitigation

GTK-3 version 3.24.43 includes a security fix for this issue, and Red Hat has provided updated packages for Red Hat Enterprise Linux 9 via RHSA-2024:9184 and RHSA-2024:6963 [1][2][4]. GTK-2 is no longer maintained and will not receive an official patch; users are advised to either backport the fix or to avoid running GTK-2 applications from untrusted directories [4].

References
  1. https://access.redhat.com/errata/RHSA-2024:9184
  2. https://access.redhat.com/errata/RHSA-2024:6963
  3. cve-details
  4. security - CVE-2024-6655 Library injection from CWD in GTK-2/GTK-3

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

79

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.