Untrusted Emacs Lisp Source Code Expansion can Lead to Arbitrary Code Execution
CVE-2024-53920
7.8HIGH
Summary
A vulnerability exists in the elisp mode of GNU Emacs versions prior to 30.0.92 that allows untrusted Emacs Lisp source code to execute arbitrary code. This issue arises when users invoke the 'elisp-completion-at-point' function for code completion or enable on-the-fly diagnostics which may inadvertently byte-compile untrusted code, leading to unsafe Lisp macro expansions. It is crucial for users to exercise caution when dealing with untrusted code to mitigate potential security risks.
References
CVSS V3.1
Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published