Description
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
References (7)
Core 7
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241213-0002/
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/karelzak/util-linux/issues/539
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4134
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103367
Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/892179
Patch, Third Party Advisory x_refsource_misc
https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4512-1/
Scores
CVSS v3
7.8
EPSS
0.0007
EPSS Percentile
21.2%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
kernel/util-linux
< 2.31
Published
Mar 07, 2018
Tracked Since
Feb 18, 2026