CVE-2024-52336 HIGH

CVE-2024-52336: Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root

Vendor Red Hat
Product Fast Datapath for RHEL 7
Weakness CWE-269
Published November 26, 2024
Last update November 8, 2025

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

Key dates

02Disclosure timeline

November 26, 2024 CVE published
November 8, 2025 Record updated