CVE-2024-1488 HIGH

CVE-2024-1488: Unbound: unrestricted reconfiguration enabled to anyone that may lead to local privilege escalation

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Weakness CWE-276
Published February 15, 2024
Last update November 11, 2025

CVSS base score

8.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

01Description

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an unprivileged attacker to manipulate a running instance, potentially altering forwarders, allowing them to track all queries forwarded by the local resolver, and, in some cases, disrupting resolving altogether.

Key dates

02Disclosure timeline

February 15, 2024 CVE published
November 11, 2025 Record updated