Wiz
Vulnerability DatabaseCVE-2024-48991

CVE-2024-48991
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2024-48991 is a local privilege escalation vulnerability discovered by Qualys in needrestart, affecting versions before 3.8. The vulnerability allows local attackers to execute arbitrary code as root by exploiting a race condition and tricking needrestart into running their own fake Python interpreter instead of the system's real Python interpreter (Qualys Advisory). The vulnerability was discovered in October 2024 and publicly disclosed on November 19, 2024. Needrestart is a tool installed by default on Ubuntu Server since version 21.04, used to probe systems for services that need restarting after package updates (Ubuntu Blog).

Technical details

The vulnerability exploits a time-of-check-time-of-use (TOCTOU) race condition in needrestart's process verification mechanism. The issue occurs because the filename checked from /proc/pid/exe during the main loop is not necessarily the same filename that is executed later. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD). The initial security fix (commit 6ce6136) introduced a regression which was subsequently resolved with commit 42af5d3 (Ubuntu Security).

Impact

The vulnerability allows local attackers to gain full root privileges on affected systems. This is particularly concerning as needrestart runs automatically at the end of APT transactions during package updates or unattended upgrades, making it exploitable without user interaction on Ubuntu Server installations (Qualys Advisory).

Mitigation and workarounds

As an immediate mitigation, users can disable the interpreter heuristic in needrestart's configuration by adding '$nrconf{interpscan} = 0;' to /etc/needrestart/needrestart.conf after the line '# Disable interpreter scanners.' and rebooting. For a permanent fix, users should upgrade to the patched versions: 3.6-8ubuntu4.2 for Ubuntu 24.10, 3.6-7ubuntu4.3 for Ubuntu 24.04 LTS, 3.5-5ubuntu2.2 for Ubuntu 22.04 LTS, and corresponding versions for other supported releases (Ubuntu Security).

Additional resources

SourceThis report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-40289N/AN/A
  • Linux DebianLinux Debian
  • linux
NoYesDec 06, 2025
CVE-2025-40288N/AN/A
  • Linux DebianLinux Debian
  • linux
NoYesDec 06, 2025
CVE-2025-40287N/AN/A
  • Linux DebianLinux Debian
  • linux
NoYesDec 06, 2025
CVE-2025-40286N/AN/A
  • Linux DebianLinux Debian
  • linux
NoYesDec 06, 2025
CVE-2025-40285N/AN/A
  • Linux DebianLinux Debian
  • linux
NoYesDec 06, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo