CVE-2024-36041

HIGH

KSmserver <5.27.11.1-6.0.5.1 - Privilege Escalation

Title source: llm

Description

KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.

References (7)

[Release Notes] https://github.com/KDE/plasma-workspace/tags

[Product] https://invent.kde.org/plasma/plasma-workspace/

[Vendor Advisory] https://kde.org/info/security/advisory-20240531-1.txt

[Product] https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/06/msg00002.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/43YGQJGB5I33UBRY2OHXTPXIEESZLZ6N/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/DNOZWSWXAR6EM3VIUJRSAI3L4QPURQPC/

Scores

CVSS v3 7.8

EPSS 0.0010

EPSS Percentile 26.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-613

Status published

Products (1)

kde/plasma-workspace < 5.27.11.1

Published Jul 05, 2024

Tracked Since Feb 18, 2026