Cyber Resilience

CVE-2024-50986

HighPublic PoCLPE

Published: 15 November 2024

Published
15 November 2024
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1085 93.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50986 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Clementine-Player Clementine. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DLL (T1574.001); ranked in the top 6.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Clementine version 1.3.1 contains an untrusted search path vulnerability tracked as CVE-2024-50986 and assigned CWE-426. The flaw permits a local attacker to place a crafted DLL that the application loads at runtime, resulting in arbitrary code execution on the host system. The issue carries a CVSS 3.1 score of 7.3 reflecting local attack vector, low attack complexity, and high impact across confidentiality, integrity, and availability.

A local attacker with the ability to write files to a location searched by Clementine can exploit the weakness when a user launches the player. Successful exploitation grants the attacker the same privileges as the running process, enabling full control over the affected workstation without requiring network access or elevated privileges beyond standard user rights.

The EPSS score for this CVE stands at 0.1085 with no material increase observed since disclosure. Public references consist of the Clementine project repository, the project homepage, and a proof-of-concept repository, but no vendor advisory or patch information is included in the available data.

EU & UK References

Vulnerability details

An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.001 DLL Stealth
Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
T1574.007 Path Interception by PATH Environment Variable Stealth
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Why these techniques?

The DLL hijacking vulnerability enables arbitrary code execution by placing a malicious QUSEREX.DLL in a searched path (WindowsApps directory in PATH), mapping to DLL Search Order Hijacking (T1038), DLL Side-Loading (T1073, T1574.002), and Path Interception by PATH Environment Variable (T1574.007).

Affected Assets

clementine-player
clementine
1.3.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References