CVE-2024-51440
Published: 12 February 2025
Summary
CVE-2024-51440 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Sharedobject (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-51440 is a privilege escalation vulnerability in Nothing Tech's Nothing OS version 2.6, specifically affecting the NtBpfService component. This flaw, linked to CWE-276 (Incorrect Default Permissions), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
A local attacker with low privileges (PR:L) can exploit this vulnerability without user interaction (UI:N) and with low complexity (AC:L). Successful exploitation allows the attacker to escalate privileges, potentially gaining full control over the affected device by modifying or accessing restricted resources through the NtBpfService.
Mitigation details and further technical analysis are available in the referenced advisory at https://sharedobject.blog/posts/nothing-bpf/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4896
Vulnerability details
An issue in Nothing Tech Nothing OS v.2.6 allows a local attacker to escalate privileges via the NtBpfService component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local privilege escalation via incorrect service permissions directly matches Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws like the privilege escalation vulnerability in NtBpfService due to incorrect default permissions.
Enforces least privilege to restrict low-privileged local attackers from escalating privileges via the vulnerable NtBpfService component.
Mandates enforcement of approved access control policies to prevent unauthorized access and privilege escalation through misconfigured permissions on NtBpfService.