CVE-2024-22365 Linux Pam CVE debrief

Who should care

Administrators and security teams running linux-pam on Linux systems should care, especially where PAM is part of interactive login, privilege elevation, or remote access flows. Distribution maintainers and platform operators should also review whether their packaged linux-pam version is below 1.6.0 or whether the upstream patch has already been backported.

Technical summary

NVD lists linux-pam versions before 1.6.0 as vulnerable, with a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The record states that an attacker can cause a denial of service by blocking the login process via mkfifo-related behavior, because the openat call for protect_dir does not use O_DIRECTORY. The NVD record also maps the weakness to CWE-664 as a secondary classification, while the primary weakness is listed as CWE-noinfo.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether any deployed linux-pam packages are earlier than 1.6.0.
• Upgrade to linux-pam 1.6.0 or later where possible.
• If immediate upgrade is not feasible, apply the upstream patch or a vendor backport referenced in the advisory record.
• Review systems where PAM-mediated logins are operationally critical, since the main impact is blocked authentication and login availability.
• Validate that downstream distribution advisories or package changelogs reflect the fix before and after deployment.

Evidence notes

The supplied NVD record publishes CVE-2024-22365 on 2024-02-06 and last modified it on 2026-05-12. The record cites an oss-security mailing list post from 2024-01-18, an upstream linux-pam commit, and the v1.6.0 release tag as reference material. The affected version range in NVD ends before 1.6.0. NVD assigns CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and lists the primary weakness as CWE-noinfo with CWE-664 as secondary.

Official resources