CVE-2024-27322

NameCVE-2024-27322
DescriptionDeserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
r-base (PTS)buster3.5.2-1vulnerable
bullseye4.0.4-1vulnerable
bookworm4.2.2.20221110-2vulnerable
sid, trixie4.4.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
r-basesource(unstable)4.4.0-2

Notes

https://hiddenlayer.com/research/r-bitrary-code-execution/
https://kb.cert.org/vuls/id/238194
Search for package or bug name: Reporting problems