Login Sign Up

CVE-2024-48992

7.8 HIGH

📋 TL;DR

CVE-2024-48992 is a local privilege escalation vulnerability in needrestart versions before 3.8. Attackers with local access can trick needrestart into executing arbitrary code as root by manipulating the RUBYLIB environment variable. This affects systems running vulnerable versions of needrestart, commonly found on Debian, Ubuntu, and other Linux distributions.

💻 Affected Systems

Products:
  • needrestart
Versions: All versions before 3.8
Operating Systems: Linux distributions including Debian, Ubuntu, and derivatives
Default Config Vulnerable: ⚠️ Yes
Notes: Systems where needrestart is installed and configured to run with root privileges (common default).

📦 What is this software?

Needrestart by Needrestart Project

View all CVEs affecting Needrestart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement.

🟠

Likely Case

Privileged user or attacker with initial foothold escalates to root to install malware, modify system configurations, or access sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated systems with quick detection and containment.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing access to the system.
🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access but is straightforward to execute. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8 and later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/11/msg00014.html

Restart Required: No

Instructions:

1. Update needrestart to version 3.8 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install needrestart. 3. Verify installation with: needrestart --version.

🔧 Temporary Workarounds

Remove RUBYLIB environment variable

linux

Prevent exploitation by clearing or restricting RUBYLIB environment variable for needrestart processes

sudo systemctl edit needrestart.service
Add: Environment="RUBYLIB="
sudo systemctl daemon-reload
sudo systemctl restart needrestart

🧯 If You Can't Patch

  • Restrict local user access to systems with vulnerable needrestart versions
  • Implement strict monitoring for unusual process execution or privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check needrestart version with: needrestart --version. If version is below 3.8, system is vulnerable.

Check Version:

needrestart --version

Verify Fix Applied:

After update, run: needrestart --version. Confirm version is 3.8 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual needrestart process execution with RUBYLIB environment variable
  • Privilege escalation attempts via needrestart

Network Indicators:

  • None - this is a local attack

SIEM Query:

process.name:"needrestart" AND process.env:RUBYLIB=*

📊 Metadata

CVE ID: CVE-2024-48992
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-427
Published: November 19, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48992, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)