LiveActive security incident?Get immediate response
CVE Record

CVE-2011-2777: samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses the pidof program incorrectly, w...

samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses the pidof program incorrectly, which allows local users to gain privileges by running a program with the name kded4 and a DBUS_SESSION_BUS_ADDRESS environment variable containing commands.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2011-2777 is a local privilege escalation issue in acpid/acpid2 2.0.16 and earlier. The vulnerable sample power button script mishandles process detection and environment data, allowing a local user to potentially run commands with higher privileges. The supplied sources do not show internet-exposed exploitation or active exploitation.

Executive priority

Handle as legacy Linux hardening rather than an internet-facing emergency. Prioritize shared systems and endpoints where untrusted users can log in locally, because successful exploitation could turn a low-privileged account into a higher-privileged foothold.

Technical view

The flaw is in samples/powerbtn/powerbtn.sh. It uses pidof incorrectly around a process name and trusts DBUS_SESSION_BUS_ADDRESS in a way that can lead to command execution by a local user. The source bundle identifies acpid/acpid2 2.0.16 and earlier, but provides limited vendor/version metadata beyond that description.

Likely exposure

Exposure is most likely on older Linux systems using acpid/acpid2 2.0.16 or earlier where the sample power button script is installed and active. Risk is higher on shared workstations, servers with untrusted local users, or environments where local accounts are broadly granted.

Exploitation context

The supplied sources describe local privilege escalation, not remote exploitation. KEV is false, and no cited source in the bundle confirms active exploitation. An attacker would already need local access or a path to run code as a lower-privileged user.

Researcher notes

Evidence is sparse in the supplied bundle. The CVE description names the vulnerable file, affected version ceiling, local-user prerequisite, and unsafe environment handling. It does not provide CVSS, CWE, complete affected CPEs, exploit prevalence, or a confirmed fixed version.

Mitigation direction

  • Inventory systems running acpid/acpid2 and identify versions at or below 2.0.16.
  • Check vendor advisories or distribution package notes for fixed acpid builds.
  • Remove or replace the vulnerable sample powerbtn.sh where vendor guidance supports doing so.
  • Limit local shell access on affected shared Linux systems until remediated.
  • Prioritize remediation on systems with untrusted local users.

Validation and detection

  • Confirm whether acpid/acpid2 is installed and record the package version.
  • Verify whether samples/powerbtn/powerbtn.sh exists and is used for power button handling.
  • Review distribution changelogs for a fix referencing CVE-2011-2777 or the Launchpad bug.
  • Confirm local users cannot modify or influence the active power button handler.
  • Document residual exposure where vendor fix status is unclear.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2011-2777 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.