Cyber Resilience

CVE-2024-6409

High

Published: 08 July 2024

Published
08 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.7640 99.0th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6409 is a high-severity Signal Handler Race Condition (CWE-364) vulnerability in Almalinux (inferred from references). Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A race condition vulnerability exists in OpenSSH's server component sshd, tracked as CVE-2024-6409. When a client fails to authenticate within a configured time window, the SIGALRM handler executes asynchronously and invokes functions such as syslog() that are not async-signal-safe, creating conditions that can corrupt process state.

An unauthenticated remote attacker can trigger the flaw by simply withholding authentication long enough to fire the alarm. In the worst case this leads to remote code execution with the privileges of the unprivileged user under which sshd runs, although successful exploitation requires winning a narrow timing window reflected in the CVSS attack-complexity rating of high.

Multiple Red Hat advisories (RHSA-2024:4457, RHSA-2024:4613, RHSA-2024:4716, RHSA-2024:4910, RHSA-2024:4955) address the issue through updated OpenSSH packages; administrators should apply the relevant errata for their distributions to eliminate the unsafe signal handling.

The EPSS score currently sits at 0.7640 with a recorded peak of 0.7673, indicating sustained but not sharply increasing public interest in exploitation since disclosure.

EU & UK References

Vulnerability details

A race condition vulnerability was discovered in how signals are handled by OpenSSH's server (sshd). If a remote attacker does not authenticate within a set time period, then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various…

more

functions that are not async-signal-safe, for example, syslog(). As a consequence of a successful attack, in the worst case scenario, an attacker may be able to perform a remote code execution (RCE) as an unprivileged user running the sshd server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Almalinux
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References