CVE-2024-28085: wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be...
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
Security readout for executives and security teams
Plain-English summary
CVE-2024-28085 is a local terminal-output issue in util-linux wall. A logged-in user may send terminal escape sequences to other users through command arguments when wall has setgid tty permissions. Business impact is usually limited, but shared Linux systems deserve attention because misleading terminal output can support account takeover scenarios.
Executive priority
Handle through normal Linux patch management, with earlier attention for shared administrative hosts. This is not an internet-facing emergency based on the provided evidence, but it can matter where many users share terminals.
Technical view
util-linux wall through 2.40 filters escape sequences from stdin but not from argv. With local low-privilege access, an attacker can inject terminal control sequences into another user’s terminal. The CVSS score is 3.3 because it is local, low impact, and primarily affects integrity rather than confidentiality or availability.
Likely exposure
Exposure is most relevant on multi-user Linux systems where util-linux wall is installed and commonly setgid tty. Single-user servers or environments without interactive logged-in users have lower practical exposure.
Exploitation context
The source bundle includes public writeups and a proof-of-concept repository, but KEV is false and no cited source establishes active exploitation. Abuse requires local access and a target user with an interactive terminal session.
Researcher notes
The key weakness is inconsistent escape-sequence handling between stdin and argv in wall. Evidence supports local integrity impact and plausible account-takeover scenarios, but the bundle does not prove widespread exploitation or provide complete product-level affected CPE data.
Mitigation direction
Update util-linux using OS or vendor security packages.
Prioritize shared servers, jump boxes, lab hosts, and multi-user Linux systems.
Check vendor advisories before changing wall permissions or package behavior.
Restrict unnecessary local shell access on shared systems.
Review terminal broadcast policies where wall is not operationally required.
Validation and detection
Inventory systems with util-linux wall installed.
Check util-linux package versions against vendor security advisories.
Verify whether wall has setgid tty permissions on shared hosts.
Confirm patched packages are deployed through configuration management.
Review local-user access on systems with interactive sessions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-150: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-150 · source CWE mapping
Improper Neutralization of Escape, Meta, or Control Sequences
Improper Neutralization of Escape, Meta, or Control Sequences represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.