CVE-2024-10396 MEDIUM

CVE-2024-10396: Fileserver crash and possible information leak on StoreACL/FetchACL

Vendor The Openafs Foundation
Product OpenAFS
Weakness CWE-772
Published November 14, 2024
Last update December 23, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An authenticated user can provide a malformed ACL to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose uninitialized memory, and possibly store garbage data in the audit log. Malformed ACLs provided in responses to client FetchACL RPCs can cause client processes to crash and possibly expose uninitialized memory into other ACLs stored on the server.

Key dates

02Disclosure timeline

November 14, 2024 CVE published
December 23, 2025 Record updated