Remote code execution in GNU Emacs



Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Emacs
Client/Desktop applications / Office applications

Vendor GNU

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Remote code execution

EUVDB-ID: #VU8419

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to insufficient rendering of MIME text/richtext data. A remote attacker ca submit a specially crafted file and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update to version 25.3.

Vulnerable software versions

Emacs: 21.1 - 25.2

CPE2.3 External links

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###