CVE-2024-10394 HIGH

CVE-2024-10394: Theft of credentials in Unix client PAGs

Vendor The Openafs Foundation
Product OpenAFS
Weakness CWE-305
Published November 14, 2024
Last update December 23, 2025

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.

Key dates

02Disclosure timeline

November 14, 2024 CVE published
December 23, 2025 Record updated