CVE-2024-48990

Published Nov 19, 2024

Last updated 6 months ago

CVSS high 7.8
Ubuntu

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-48990 is a local privilege escalation vulnerability identified in the `needrestart` utility, affecting versions prior to 3.8. Discovered by Qualys, this flaw allows a local attacker to execute arbitrary code with root privileges. The vulnerability arises when `needrestart` is manipulated into running the Python interpreter while an attacker controls the `PYTHONPATH` environment variable. This manipulation enables the attacker to hijack library paths and execute their own malicious Python code with elevated permissions. The issue has been present since the introduction of interpreter support in `needrestart` version 0.8 in April 2014 and is particularly relevant for Ubuntu Server installations where `needrestart` is installed by default.

Description
Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.
Source
security@ubuntu.com
NVD status
Modified
Products
needrestart

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-427

Social media

Hype score
Not currently trending

  1. HackTheBox retired Linux box showcases multiple file write vulnerabilities in Flask XSLT converter and needrestart CVE-2024-48990 privilege escalation. Released October 2025, retired today after teaching path traversal and environment variable poisoning techniques. Technical htt

    @DFIR_Radar

    21 Mar 2026

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. HTB “Conversor” write-up: Flask app converting Nmap XML to HTML is abused via XSLT injection + os.path.join traversal to drop cron-executed Python shells, gain www-data, crack MD5 creds → fismathack, then escalate to root using CVE-2024-48990 (needrestart / PYTHONPATH).

    @VivekIntel

    21 Mar 2026

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. HackTheBox - Conversor 🛤️ Path Traversal y Arbitrary File Write ⏰ Acceso inicial a traves de Cronjob para scripts Python 🔑 Credenciales en base de datos 🚀 Escalada de privilegios via CVE-2024-48990 https://t.co/njAHJU1FT6

    @sckull_

    21 Mar 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Conversor from @hackthebox_eu features XSLT injection and os.path.join abuse for file write, and CVE-2024-48990 in needrestart (plus a config GTFObin) for root. https://t.co/LvfwmvcEEy

    @0xdf_

    21 Mar 2026

    1673 Impressions

    6 Retweets

    28 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

  5. needrestart-privesc-cve-2024-48990 #exploit Local privilege escalation exploit for needrestart (CVE-2024-48990) https://t.co/kKsdKyhpuJ

    @TheExploitLab

    22 Dec 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2024-48990 is a priv esc vulnerability for needrestart in version 3.7 and below This bug is due to a search path element in checking the Python processes in the PYTHONPATH environment without any sanitization Attackers can insert their code into the search path as a user h

    @Koinsec

    21 Dec 2025

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2024-48990 #exploit an exploit for CVE-2024-48990 ( Local Privilege Escalation ) in needrestart https://t.co/HGoQHQ2R7u

    @TheExploitLab

    17 Dec 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. آسیب‌پذیری بحرانی در ابزار needrestart: CVE-2024-48990 https://t.co/EsSLluD5TY #cve_2024_48990 https://t.co/x0A3Ud6b75

    @MrMtwoj

    1 Jul 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Linux LPE via Needrestart (CVE-2024-48990) allows local attackers to gain root access by exploiting improper handling of the PYTHONPATH variable in versions prior to 3.8. #CVE2024 #Linux #LPE https://t.co/B8KRDjioDq

    @RootOps_

    5 Jan 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Apache Tomcat RCE https://t.co/biOW1jOz6G 2. CVE-2024-48990: Qualys needrestart <3.8 - Uncontrolled Search Path Element https://t.co/pKVKT2PM7r

    @ShaiiikShoaiiib

    24 Dec 2024

    196 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. #exploit 1. CVE-2024-50379: Apache Tomcat RCE https://t.co/WAsPq9YMAW 2. CVE-2024-48990: Qualys needrestart <3.8 - Uncontrolled Search Path Element https://t.co/TrNdynfKau

    @ksg93rd

    23 Dec 2024

    224 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Ubuntuのneedrestartに脆弱性(CVE-2024-48990、CVE-2024-48991、CVE-2024-48992、CVE-2024-10224、CVE-2024-11003) https://t.co/jdRGYKBJWD

    @01Programing

    25 Nov 2024

    14 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Ubuntuのneedrestartに脆弱性(CVE-2024-48990、CVE-2024-48991、CVE-2024-48992、CVE-2024-10224、CVE-2024-11003)|セキュリティニュース https://t.co/Cm1CuKHnqf

    @01ra66it

    25 Nov 2024

    233 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  14. GitHub - makuga01/CVE-2024-48990-PoC: PoC for CVE-2024-48990 https://t.co/xCVnpcBojh

    @akaclandestine

    24 Nov 2024

    1081 Impressions

    2 Retweets

    2 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  15. Actively exploited CVE : CVE-2024-48990

    @transilienceai

    24 Nov 2024

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. CVE-2024-48990: Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. https://t.co/0bp0fZTQ1P https

    @cyber_advising

    23 Nov 2024

    720 Impressions

    0 Retweets

    7 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  17. GitHub - makuga01/CVE-2024-48990-PoC: PoC for CVE-2024-48990 - https://t.co/OMGxkSLSIS

    @piedpiper1616

    22 Nov 2024

    1990 Impressions

    13 Retweets

    27 Likes

    12 Bookmarks

    0 Replies

    0 Quotes

  18. Ubuntu 25.04 Plucky Puffin e vulnerabilità needrestart Tech, CVE-2024-48990, cybersecurity, GNOME 48, Linux Kernel 6.14, needrestart, Plucky Puffin, Ubuntu 25.04, vulnerabilità https://t.co/9V8nBaEREJ https://t.co/sTcVUZ2vME

    @matricedigitale

    21 Nov 2024

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Canonical’s security team has released updates for the needrestart and libmodule-scandeps-perl packages for all Ubuntu releases. The updates remediate CVE-2024-10224, CVE-2024-11003, CVE-2024-48990, CVE-2024-48991 and CVE-2024-48992. Learn more on the blog https://t.co/vjtSFyCpCK

    @ubuntu

    21 Nov 2024

    6943 Impressions

    15 Retweets

    74 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  20. CVE-2024-48990 and other: Multiple vulns in Needrestart utility for Ubuntu, 5.3 - 7.8 rating❗️ Five vulns allow LPE to be carried out on machines running Ubuntu OS. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/YW9lwDxQUw #cybersecurity #vulnerability_map #ubuntu ht

    @Netlas_io

    21 Nov 2024

    348 Impressions

    1 Retweet

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Great catch(es) with CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003 by @qualys in “needrestart” v0.8 in Ubuntu Linux 21.04. Needrestart v3.8 patches all five. Released yesterday. Full text of the Qualys advisory at https://t.co/Jl3HFVKjQw

    @Sujeet

    20 Nov 2024

    93 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 5 Privilege Escalation Flaws Found in #Ubuntu's Default Utility, #needrestart CVEs CVE-2024-48990, CVE-2024-48991, CVE-2024-48992 These flaws can be exploited by any unprivileged user to gain full root access without requiring user interaction https://t.co/OcI2NlXn53

    @the_yellow_fall

    20 Nov 2024

    766 Impressions

    9 Retweets

    21 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  23. Was going to let that just be a tweet but it turned into a full blown blogpost - Servers NeedRestart - The Problem with CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003 https://t.co/TBrlK4XeBb

    @nanovms

    20 Nov 2024

    189 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2024-48990 CVE-2024-48991 CVE-2024-48992 CVE-2024-10224 and CVE-2024-11003 - all probably affecting your ubuntu servers - this is a perfect example of why you should be using unikernels - WTF would you allow some perl to run as root if you yourself don't code in perl? https:

    @nanovms

    19 Nov 2024

    293 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    1 Quote

Configurations

Related CVEs

  1. In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data, or a chained skb_has_frag_list()) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate to also unshare when skb_has_frag_list() or skb_has_shared_frag() is true. This catches the splice-loopback vector and other externally-shared frag sources while preserving the zero-copy fast path for skbs whose frags are kernel-private (e.g. NIC page_pool RX, GRO). The OOM/trace handling already in place is reused.CVE-2026-43500
  2. In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().CVE-2026-43284
  3. Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-28780
  4. Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.CVE-2026-29168
  5. A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.CVE-2026-29169

References

Sources include official advisories and independent security research.