CVE-2024-28085
Publication date 27 March 2024
Last updated 30 May 2025
Ubuntu priority
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| util-linux | 25.04 plucky |
Fixed 2.39.3-9ubuntu6
|
| 24.10 oracular |
Fixed 2.39.3-9ubuntu6
|
|
| 24.04 LTS noble |
Fixed 2.39.3-9ubuntu6
|
|
| 22.04 LTS jammy |
Fixed 2.37.2-4ubuntu3.3
|
|
| 20.04 LTS focal |
Fixed 2.34-0.1ubuntu9.5
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
USN-6719-1 added patches, but it turned out they were insufficient to completely fix the issue, so -2 was released which removes the setgid bit from the wall and write binaries.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.3 · Low
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-6719-1
- util-linux vulnerability
- 27 March 2024
- USN-6719-2
- util-linux vulnerability
- 10 April 2024