Cyber Resilience

CVE-2024-48990

High

Published: 19 November 2024

Published
19 November 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1525 94.8th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48990 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Needrestart Project Needrestart. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-48990 affects the needrestart utility prior to version 3.8. The flaw stems from insufficient control over the PYTHONPATH environment variable when the tool invokes the Python interpreter, enabling a local attacker to supply a malicious search path that leads to execution of arbitrary code.

A local attacker with low privileges can exploit the issue without user interaction by arranging for needrestart to load attacker-controlled Python modules during its operation, resulting in root-level code execution on the affected system. The vulnerability carries a CVSS score of 7.8 and is classified under CWE-427.

Public references, including the upstream commit and Debian LTS advisory, indicate that the issue is resolved by upgrading to needrestart 3.8 or applying the corresponding distribution patches that sanitize the environment before invoking Python.

The associated EPSS score reached a peak of 0.2005 after disclosure, indicating emerging exploitation interest that warrants renewed attention for systems still running older versions.

EU & UK References

Vulnerability details

Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

needrestart project
needrestart
≤ 3.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References