{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2024/cve-2024-56433-els_os-almalinux9_2esu.json" } ], "tracking": { "current_release_date": "2026-04-24T09:19:18Z", "generator": { "date": "2026-04-24T09:19:18Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2024-56433-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2024-12-26T00:00:00Z", "revision_history": [ { "date": "2024-12-26T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T10:37:43Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T19:08:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-03-31T23:21:40Z", "number": "4", "summary": "Update document" }, { "date": "2026-04-24T09:19:18Z", "number": "5", "summary": "Update document" } ], "status": "final", "version": "5" }, "title": "Security update on CVE-2024-56433" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "shadow-utils-2:4.9-6.el9.x86_64", "product": { "name": "shadow-utils-2:4.9-6.el9.x86_64", "product_id": "shadow-utils-2:4.9-6.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/shadow-utils@4.9-6.el9?arch=x86_64&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-2:4.9-6.el9.x86_64", "product": { "name": "shadow-utils-subid-2:4.9-6.el9.x86_64", "product_id": "shadow-utils-subid-2:4.9-6.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/shadow-utils-subid@4.9-6.el9?arch=x86_64&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-devel-2:4.9-6.el9.x86_64", "product": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.x86_64", "product_id": "shadow-utils-subid-devel-2:4.9-6.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/shadow-utils-subid-devel@4.9-6.el9?arch=x86_64&epoch=2" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "shadow-utils-subid-2:4.9-6.el9.i686", "product": { "name": "shadow-utils-subid-2:4.9-6.el9.i686", "product_id": "shadow-utils-subid-2:4.9-6.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/shadow-utils-subid@4.9-6.el9?arch=i686&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-devel-2:4.9-6.el9.i686", "product": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.i686", "product_id": "shadow-utils-subid-devel-2:4.9-6.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/shadow-utils-subid-devel@4.9-6.el9?arch=i686&epoch=2" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "product": { "name": "shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "product_id": "shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/shadow-utils@4.9-6.el9.tuxcare.els1?arch=x86_64&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "product": { "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "product_id": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/shadow-utils-subid@4.9-6.el9.tuxcare.els1?arch=x86_64&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "product": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "product_id": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/shadow-utils-subid-devel@4.9-6.el9.tuxcare.els1?arch=x86_64&epoch=2" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "product": { "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "product_id": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/shadow-utils-subid@4.9-6.el9.tuxcare.els1?arch=i686&epoch=2" } } }, { "category": "product_version", "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "product": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "product_id": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/shadow-utils-subid-devel@4.9-6.el9.tuxcare.els1?arch=i686&epoch=2" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64" }, "product_reference": "shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-2:4.9-6.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.x86_64" }, "product_reference": "shadow-utils-2:4.9-6.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686" }, "product_reference": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-2:4.9-6.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.i686" }, "product_reference": "shadow-utils-subid-2:4.9-6.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64" }, "product_reference": "shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-2:4.9-6.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.x86_64" }, "product_reference": "shadow-utils-subid-2:4.9-6.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686" }, "product_reference": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.i686" }, "product_reference": "shadow-utils-subid-devel-2:4.9-6.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64" }, "product_reference": "shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "shadow-utils-subid-devel-2:4.9-6.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.x86_64" }, "product_reference": "shadow-utils-subid-devel-2:4.9-6.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-56433", "cwe": { "id": "CWE-1188", "name": "Initialization of a Resource with an Insecure Default" }, "notes": [ { "category": "description", "text": "shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-56433" } ], "release_date": "2024-12-26T00:00:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This is a local, configuration-dependent issue: exploitation requires a local user to have subordinate UID delegation and to deliberately map a UID that exactly collides with a network identity that is reachable and trusted purely by numeric UID (e.g., an NFS export), which is a non-default condition. Absent that explicit overlap, the default /etc/subuid range does not map to real accounts and use of newuidmap cannot grant privileges beyond those already permitted by subordinate UID entries and user namespaces. With high attack complexity, unchanged scope, and only low confidentiality/integrity impact (no availability impact), it is reasonable to deprioritize this CVE relative to remotely exploitable or privilege-escalation vulnerabilities.", "product_ids": [ "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.x86_64" ] }, { "category": "no_fix_planned", "details": "We have assessed this issue and opted not to ship a fix. CVE-2024-56433 is a local, configuration-dependent weakness in the default /etc/subuid range (SUB_UID_MIN=100000), exploitable only when a local user with subordinate UID delegation deliberately maps a UID that collides with a network-resolved identity trusted purely by numeric UID (for example an NFS export) — a non-default, administrator-created condition. The CVSSv3 vector (AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, score 3.6) reflects this: local access, high attack complexity, unchanged scope, and low confidentiality/integrity impact with no availability impact. The upstream project acknowledges that no default subordinate UID range can avoid collision with every deployment, and the advisory that claims to address this CVE introduces no code or configuration change that materially alters the documented behavior. Changing the default range without a verified upstream solution would risk regressing rootless-container workflows that depend on the current subordinate UID allocation. On this basis, and consistent with the deprioritization applied to remotely exploitable or privilege-escalation classes of vulnerability, this CVE is declined for backporting. Administrators who operate in environments where local UIDs in the 100000–165535 range collide with network-resolved identities should override SUB_UID_MIN/SUB_GID_MIN in /etc/login.defs to a range outside their local identity allocations.", "product_ids": [ "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-2:4.9-6.el9.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:shadow-utils-subid-devel-2:4.9-6.el9.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }