Untrusted Emacs Lisp Source Code Expansion can Lead to Arbitrary Code Execution
CVE-2024-53920

7.8HIGH

Key Information:

Vendor
GNU
Status
Vendor
CVE Published:
27 November 2024

Summary

A vulnerability exists in the elisp mode of GNU Emacs versions prior to 30.0.92 that allows untrusted Emacs Lisp source code to execute arbitrary code. This issue arises when users invoke the 'elisp-completion-at-point' function for code completion or enable on-the-fly diagnostics which may inadvertently byte-compile untrusted code, leading to unsafe Lisp macro expansions. It is crucial for users to exercise caution when dealing with untrusted code to mitigate potential security risks.

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.