CVE-2024-39331 – This vulnerability in Emacs Org Mode allows arb... (How to Fix)

Q: What is the severity of CVE-2024-39331?

CVE-2024-39331 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Emacs Org Mode allows arbitrary code execution when processing malicious Org documents containing specially crafted link abbreviations. Attackers can execute shell commands with the privileges of the user opening the document. Affects Emacs users with Org Mode enabled who open untrusted Org files.

📋 TL;DR

This vulnerability in Emacs Org Mode allows arbitrary code execution when processing malicious Org documents containing specially crafted link abbreviations. Attackers can execute shell commands with the privileges of the user opening the document. Affects Emacs users with Org Mode enabled who open untrusted Org files.

💻 Affected Systems

Products:

GNU Emacs with Org Mode

Versions: Emacs before 29.4, Org Mode before 9.7.5

Operating Systems: All platforms running affected Emacs versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default Org Mode configuration when opening Org files with %(...) link abbreviations.

📦 What is this software?

Emacs by Gnu

View all CVEs affecting Emacs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution when user opens a malicious Org document, leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or arbitrary command execution when users open Org files from untrusted sources, potentially leading to credential theft or lateral movement.

🟢

If Mitigated

Limited impact if users only open trusted Org files and have proper file validation controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening a malicious Org file) but the vulnerability is straightforward to exploit once the malicious file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Emacs 29.4 or Org Mode 9.7.5

Vendor Advisory: https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29

Restart Required: Yes

Instructions:

1. Update Emacs to version 29.4 or later using your package manager. 2. Alternatively, update Org Mode to version 9.7.5 or later. 3. Restart Emacs after updating.

🔧 Temporary Workarounds

Disable unsafe link abbreviation expansion

all

Add configuration to prevent expansion of unsafe functions in link abbreviations

Add to .emacs: (setq org-link-abbrev-alist nil)

Disable Org Mode link abbreviation feature

all

Completely disable the vulnerable link abbreviation functionality

Add to .emacs: (setq org-link-use-abbrev-for-name nil)

🧯 If You Can't Patch

Only open Org files from trusted sources and avoid downloading Org files from untrusted locations
Use Emacs in a sandboxed environment or container when handling potentially untrusted Org files

🔍 How to Verify

Check if Vulnerable:

Check Emacs version with: emacs --version | head -1. Check Org Mode version by opening Emacs and running: M-x org-version

Check Version:

emacs --version | head -1

Verify Fix Applied:

Verify Emacs version is 29.4+ or Org Mode version is 9.7.5+. Test with a safe %(shell-command-to-string "echo test") link abbreviation - it should not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual shell command execution from Emacs process
Emacs process spawning unexpected child processes

Network Indicators:

Emacs process making unexpected network connections

SIEM Query:

process.name:"emacs" AND process.parent.name NOT IN ["bash", "zsh", "terminal"] AND process.cmdline CONTAINS "shell-command"

📊 Metadata

CVE ID: CVE-2024-39331

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: June 23, 2024

Last Updated: April 30, 2025

🔗 References

https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 Release Notes
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mailing List,Patch
https://list.orgmode.org/87sex5gdqc.fsf%40localhost/ Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00023.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00024.html Mailing List
https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html Mailing List
https://news.ycombinator.com/item?id=40768225 Mailing List
https://www.openwall.com/lists/oss-security/2024/06/23/1 Mailing List
https://www.openwall.com/lists/oss-security/2024/06/23/2 Mailing List
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29 Release Notes
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8 Mailing List,Patch
https://list.orgmode.org/87sex5gdqc.fsf%40localhost/ Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00023.html Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00024.html Mailing List
https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html Mailing List
https://news.ycombinator.com/item?id=40768225 Mailing List
https://www.openwall.com/lists/oss-security/2024/06/23/1 Mailing List
https://www.openwall.com/lists/oss-security/2024/06/23/2 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39331, you might also want to check these: