CVE-2024-27322
Publication date 29 April 2024
Last updated 26 August 2025
Ubuntu priority
Description
Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| r-base | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty |
Vulnerable
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-27322
- https://hiddenlayer.com/research/r-bitrary-code-execution/
- https://kb.cert.org/vuls/id/238194
- https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch
- https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7
- https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html
- https://https://kb.cert.org/vuls/id/238194
- https://www.kb.cert.org/vuls/id/238194
- http://www.openwall.com/lists/oss-security/2024/04/29/3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JVE5FDLFJGTAMOSJ6DREFAODEUBRFWSG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLV4OWXZIJ7EFBIWUZADUSHYJTFAQ4D/