CVE-2024-12084

CriticalPublic PoC

Published: 15 January 2025

Published

15 January 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0346 87.6th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12084 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Samba Rsync. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation directly addresses the heap-based buffer overflow in rsync daemon by applying vendor patches like RHBA-2025:6470 to eliminate the vulnerability.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms such as heap isolation and randomization mitigate exploitation of the out-of-bounds write in the sum2 buffer.

SI-10 Information Input Validation partial match

prevent

Information input validation enforces bounds checking on attacker-controlled checksum lengths like s2length to prevent exceeding the fixed SUM_LENGTH.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Heap buffer overflow and related flaws in rsync daemon enable remote code execution on servers via anonymous client access (T1068, T1190, T1210); file leak vulnerability facilitates collection of arbitrary data from clients' local systems (T1005).

NVD Description

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of…

bounds in the sum2 buffer.

Deeper analysisAI

CVE-2024-12084 is a heap-based buffer overflow vulnerability in the rsync daemon, stemming from improper handling of attacker-controlled checksum lengths (s2length) in the code. The flaw occurs when MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH of 16 bytes, allowing an attacker to write out of bounds in the sum2 buffer. It is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability can be exploited by a remote attacker with network access to the rsync daemon, requiring no privileges, low complexity, and no user interaction. Exploitation enables out-of-bounds writes in heap memory, potentially compromising confidentiality, integrity, and availability to a high degree.

Red Hat has issued advisory errata RHBA-2025:6470 to address the issue, with further details in their CVE security page, Bugzilla entry #2330527, CERT vulnerability note 952657, and an oss-security mailing list announcement from January 14, 2025.

Details

CWE(s): CWE-122 CWE-787

Affected Products

samba

rsync

3.2.7, 3.3.0

almalinux

10.0

archlinux

arch linux

all versions

gentoo

linux

all versions

nixos

24.11 · ≤ 24.11

novell

suse linux

all versions

tritondatacenter

smartos

≤ 20250123

redhat

enterprise linux

10.0

CVEs Like This One

CVE-2024-12088Same product: Almalinux Almalinux

CVE-2024-12087Same product: Almalinux Almalinux

CVE-2024-12085Same product: Almalinux Almalinux

CVE-2025-62799Shared CWE-122, CWE-787

CVE-2025-57709Shared CWE-122, CWE-787

CVE-2026-21244Shared CWE-122, CWE-787

CVE-2026-5187Shared CWE-122, CWE-787

CVE-2026-5450Shared CWE-122, CWE-787

CVE-2026-21239Shared CWE-122, CWE-787

CVE-2025-58447Shared CWE-122, CWE-787

References

https://access.redhat.com/errata/RHBA-2025:6470
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2024-12084
Third Party Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2330527
Issue Tracking, Third Party Advisory · secalert@redhat.com
https://kb.cert.org/vuls/id/952657
Third Party Advisory · secalert@redhat.com
http://www.openwall.com/lists/oss-security/2025/01/14/6
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250131-0002/
af854a3a-2127-422b-91ae-364da2661108
https://www.kb.cert.org/vuls/id/952657
af854a3a-2127-422b-91ae-364da2661108
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0