CVE-2024-27322

NameCVE-2024-27322
DescriptionDeserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1073061

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
r-base (PTS)jessie, jessie (lts)3.1.1-1+deb8u1vulnerable
stretch3.3.3-1vulnerable
buster3.5.2-1vulnerable
bullseye4.0.4-1vulnerable
bookworm4.2.2.20221110-2vulnerable
sid, trixie4.4.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
r-basesource(unstable)4.4.0-2unimportant1073061

Notes

https://hiddenlayer.com/research/r-bitrary-code-execution/
https://kb.cert.org/vuls/id/238194
https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch
https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7
https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html
Not considered a security issue by R Core (upstream) and the R Foundation.

Search for package or bug name: Reporting problems