LiveActive security incident?Get immediate response
CVE archive

October 2024

Browse CVE records published in October 2024, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3391 matching CVEs · Page 2 of 68.

Medium · CVSS 4.7

CVE-2024-10041: Pam: libpam: libpam vulnerable to read hashed password

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Published Oct 23, 2024 · Updated Jun 29, 2026

High · CVSS 7.8

CVE-2024-9675: Buildah: buildah allows arbitrary directory mount

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Published Oct 9, 2024 · Updated Jun 29, 2026

High · CVSS 7.8

CVE-2024-9050: Networkmanager-libreswan: local privilege escalation via leftupdown

A flaw was found in the libreswan client plugin for NetworkManager (NetkworkManager-libreswan), where it fails to properly sanitize the VPN configuration from the local unprivileged user. In this configuration, composed by a key-value format, the plugin fails to escape special characters, leading the application to interpret values as keys. One of the most critical parameters that could be abused by a malicious user is the `leftupdown`key. This key takes an executable command as a value and is used to specify what executes as a callback in NetworkManager-libreswan to retrieve configuration settings back to NetworkManager. As NetworkManager uses Polkit to allow an unprivileged user to control the system's network configuration, a malicious actor could achieve local privilege escalation and potential code execution as root in the targeted machine by creating a malicious configuration.

Published Oct 22, 2024 · Updated Jun 25, 2026

Medium · CVSS 6.5

CVE-2024-9355: Golang-fips: golang fips zeroed buffer

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.  It is also possible to force a derived key to be all zeros instead of an unpredictable value.  This may have follow-on implications for the Go TLS stack.

Published Oct 1, 2024 · Updated Jun 18, 2026