CVE-2024-10394

HIGH

OpenAFS < 1.6.25 - Authentication Bypass via PAG Throttling Mechanism

Title source: llm

Description

A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00019.html

Various Sources

https://www.openafs.org/pages/security/OPENAFS-SA-2024-001.txt

Various Sources

https://www.openafs.org/security

Scores

CVSS v3 7.8

EPSS 0.0020

EPSS Percentile 10.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-305

Status published

Products (2)

openafs/openafs 1.9.0

openafs/openafs 1.0 - 1.6.25

Published Nov 14, 2024

Tracked Since Feb 18, 2026