Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Critical Buffer Overflow Patch in Fedora 41 for Cloud-Init CVE-2024-11584

fedora
Calendar Grey July 30, 2025
Dist Fedora Esm H88
Investigate recent enhancements in cloud-init for Fedora 41, focusing on vital security vulnerabilities. Protect your environment effectively!
Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, mak...

Summary

Cloud-init is a set of init scripts for cloud instances. Cloud instances

need special scripts to run during initialization to retrieve and install

ssh keys and to let the user run various scripts.

Update Information:

Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) When a non-x86 platform is detected, cloud-init granted root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration (CVE-2024-6174) Note that the fix for CVE-2024-6174 includes a change that may break non-x86 OpenStack Nova users. Affected users may wish to use ConfigDrive as a workaround

Topics%20covered

Topics Covered

security advisory fedora access control important cloud-init hotplug commands

Change Log

* Mon Jul 21 2025 Jeremy Cline - 24.2-4 - Backport fixes for CVE-2024-6174 and CVE-2024-11584 - cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world- writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584)

References


[ 1 ] Bug #2375012 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375012 [ 2 ] Bug #2375013 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375013 [ 3 ] Bug #2375025 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375025 [ 4 ] Bug #2375026 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375026

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-58f05c43ae' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: cloud-init
Product: Fedora 41
Version: 24.2
Release: 4.fc41
URL: https://github.com/canonical/cloud-init
Summary: Cloud instance init scripts

Topics%20covered

Topics Covered

security advisory fedora access control important cloud-init hotplug commands

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here