CVE-2012-3524

Exp

libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."

Published: 2012-09-18 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2012-3524 is rated High Exploit Risk (69.2/100): CVSS Medium severity, with high exploitation likelihood (EPSS 4.51%, 90th percentile). 4 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2012-3524

EDB-ID Source Kind Published Link
21323 exploit_db edb 2012-07-17 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2012-3524

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 30.84% 4.51% -26.32%
2 2026-06-07 36.15% 30.84% -5.31%
3 2026-05-25 36.15%

Full EPSS history (22 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2012-3524

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.9 2.0 MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
 3.4 10.0 [email protected]

Weakness enumeration for CVE-2012-3524

OS Trackers for CVE-2012-3524

vendor priority summary link
debian not yet assigned CVE-2012-3524 not yet assigned priority: Debian including 2 source packages (dbus, glib2.0), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 10. https://security-tracker.debian.org/tracker/CVE-2012-3524
gentoo high CVE-2012-3524: 1 GLSA(s) (201406-01), 2 atom(s) (dev-libs/glib, sys-apps/dbus); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2012-3524
redhat high https://access.redhat.com/security/cve/CVE-2012-3524
suse high CVE-2012-3524 severity important: SUSE including 219 source package names (dbus-1-1.10.12-2.1, dbus-1-1.12.2-1.76, …), 402 product×package rows across 45 product lines (SUSE Linux Enterprise Desktop 11 SP2, SUSE Linux Enterprise Desktop 12, … (45 product lines)): Fixed 399, Known Not Affected 3. https://www.suse.com/security/cve/CVE-2012-3524/
ubuntu medium CVE-2012-3524 medium priority: Ubuntu including 1 source packages (dbus), 6 status rows across 6 suites (hardy, lucid, natty, oneiric, precise, upstream): released 5, needs-triage 1. https://ubuntu.com/security/CVE-2012-3524

Affected software / configurations for CVE-2012-3524

Vendor Product Version Raw CPE
freedesktop libdbus <= 1.5.12 cpe:2.3:a:freedesktop:libdbus:*:*:*:*:*:*:*:*
freedesktop libdbus 1.5.0 cpe:2.3:a:freedesktop:libdbus:1.5.0:*:*:*:*:*:*:*
freedesktop libdbus 1.5.2 cpe:2.3:a:freedesktop:libdbus:1.5.2:*:*:*:*:*:*:*
freedesktop libdbus 1.5.4 cpe:2.3:a:freedesktop:libdbus:1.5.4:*:*:*:*:*:*:*
freedesktop libdbus 1.5.6 cpe:2.3:a:freedesktop:libdbus:1.5.6:*:*:*:*:*:*:*
freedesktop libdbus 1.5.8 cpe:2.3:a:freedesktop:libdbus:1.5.8:*:*:*:*:*:*:*
freedesktop libdbus 1.5.10 cpe:2.3:a:freedesktop:libdbus:1.5.10:*:*:*:*:*:*:*

References for CVE-2012-3524

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00000.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
http://rhn.redhat.com/errata/RHSA-2012-1261.html
http://secunia.com/advisories/50537 Vendor Advisory
http://secunia.com/advisories/50544
http://secunia.com/advisories/50710
http://stealth.openwall.net/null/dzug.c Exploit
http://www.exploit-db.com/exploits/21323 Exploit
http://www.mandriva.com/security/advisories?name=MDVSA-2013:070
http://www.mandriva.com/security/advisories?name=MDVSA-2013:083
http://www.openwall.com/lists/oss-security/2012/07/10/4
http://www.openwall.com/lists/oss-security/2012/07/26/1
http://www.openwall.com/lists/oss-security/2012/09/12/6
http://www.openwall.com/lists/oss-security/2012/09/14/2
http://www.openwall.com/lists/oss-security/2012/09/17/2
http://www.securityfocus.com/bid/55517 Exploit
http://www.ubuntu.com/usn/USN-1576-1
http://www.ubuntu.com/usn/USN-1576-2
https://bugs.freedesktop.org/show_bug.cgi?id=52202 Patch
https://bugzilla.novell.com/show_bug.cgi?id=697105
https://bugzilla.redhat.com/show_bug.cgi?id=847402
cvelogic Threat Intelligence