CVE-2014-2524

The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file.

Published: 2014-08-20 Last update: 2026-05-06 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2014-2524 is rated Low Risk (25.5/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.43%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2014-2524

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.14% 0.43% +0.29%
2 2026-03-16 0.16% 0.14% -0.01%
3 2025-07-13 0.16%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2014-2524

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
3.3 2.0 LOW
AV:L/AC:M/Au:N/C:N/I:P/A:P Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 3.4 4.9 [email protected]

Weakness enumeration for CVE-2014-2524

OS Trackers for CVE-2014-2524

vendor priority summary link
redhat low https://access.redhat.com/security/cve/CVE-2014-2524
suse low CVE-2014-2524 severity low: SUSE including 369 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 443 product×package rows across 49 product lines (HPE Helion OpenStack 8, SUSE Linux Enterprise Desktop 12, … (49 product lines)): Known Affected 231, Fixed 191, Known Not Affected 21. https://www.suse.com/security/cve/CVE-2014-2524/
ubuntu negligible CVE-2014-2524 negligible priority: Ubuntu including 1 source packages (readline6), 9 status rows across 9 suites (lucid, precise, quantal, saucy, trusty, upstream, utopic, vivid, wily): ignored 7, not-affected 1, released 1. https://ubuntu.com/security/CVE-2014-2524

Affected software / configurations for CVE-2014-2524

Vendor Product Version Raw CPE
mageia mageia 3.0 cpe:2.3:o:mageia:mageia:3.0:*:*:*:*:*:*:*
mageia mageia 4.0 cpe:2.3:o:mageia:mageia:4.0:*:*:*:*:*:*:*
gnu readline <= 6.3 cpe:2.3:a:gnu:readline:*:*:*:*:*:*:*:*
gnu readline 2.1 cpe:2.3:a:gnu:readline:2.1:*:*:*:*:*:*:*
gnu readline 2.2 cpe:2.3:a:gnu:readline:2.2:*:*:*:*:*:*:*
gnu readline 4.0 cpe:2.3:a:gnu:readline:4.0:*:*:*:*:*:*:*
gnu readline 4.1 cpe:2.3:a:gnu:readline:4.1:*:*:*:*:*:*:*
gnu readline 4.2 cpe:2.3:a:gnu:readline:4.2:*:*:*:*:*:*:*
gnu readline 4.2 cpe:2.3:a:gnu:readline:4.2:a:*:*:*:*:*:*
gnu readline 4.3 cpe:2.3:a:gnu:readline:4.3:*:*:*:*:*:*:*
gnu readline 5.0 cpe:2.3:a:gnu:readline:5.0:*:*:*:*:*:*:*
gnu readline 5.1 cpe:2.3:a:gnu:readline:5.1:*:*:*:*:*:*:*
gnu readline 5.2 cpe:2.3:a:gnu:readline:5.2:*:*:*:*:*:*:*
gnu readline 6.0 cpe:2.3:a:gnu:readline:6.0:*:*:*:*:*:*:*
gnu readline 6.1 cpe:2.3:a:gnu:readline:6.1:*:*:*:*:*:*:*
gnu readline 6.2 cpe:2.3:a:gnu:readline:6.2:*:*:*:*:*:*:*
opensuse opensuse 12.3 cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
opensuse opensuse 13.1 cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
fedoraproject fedora 20 cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*

References for CVE-2014-2524

cvelogic Threat Intelligence