CVE-2024-10394

Publication date 14 November 2024

Last updated 7 January 2026

Ubuntu priority

Description

A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openafs	25.10 questing	Not affected
	25.04 plucky	Not affected
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-10394
http://openafs.org/pages/security/OPENAFS-SA-2024-001.txt
https://lists.openafs.org/pipermail/openafs-devel/2024-November/020961.html

CVE-2024-10394

Description

Status

References

Other references

Access our resources on patching vulnerabilities