CVE-2024-10396 is a vulnerability identified in the OpenAFS distributed file system, specifically affecting versions 1.0, 1.8.0, and 1.9.0. The flaw arises from improper handling of Access Control Lists (ACLs) in the fileserver's StoreACL RPC and client FetchACL RPC mechanisms. An authenticated attacker can submit malformed ACLs to the StoreACL RPC, causing the fileserver to crash, potentially exposing uninitialized memory contents and corrupting audit logs with garbage data. Similarly, malformed ACLs returned in FetchACL RPC responses can cause client processes to crash and may expose uninitialized memory within other ACLs stored on the server. This vulnerability is classified under CWE-772, which involves missing release of resources after their effective lifetime, leading to resource leaks and memory corruption. The CVSS v3.1 score is 6.5 (medium severity), reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and resulting primarily in availability impact without direct confidentiality or integrity compromise. No patches or known exploits have been reported at the time of publication, but the risk of denial of service and potential memory exposure necessitates prompt attention.

For European organizations relying on OpenAFS for distributed file storage and access control, this vulnerability poses a risk of denial of service through server or client crashes, which can disrupt business operations and access to critical data. The exposure of uninitialized memory may lead to inadvertent leakage of sensitive information, including potentially privileged data or audit logs, undermining confidentiality and compliance with data protection regulations such as GDPR. The corruption of audit logs can impair forensic investigations and compliance audits. Since exploitation requires authenticated access, insider threats or compromised credentials increase risk. Organizations in sectors with high reliance on distributed file systems, such as research institutions, government agencies, and large enterprises, may face operational and reputational damage if exploited.

European organizations should immediately assess their OpenAFS deployments to identify affected versions (1.0, 1.8.0, 1.9.0). In the absence of official patches, organizations should implement strict access controls to limit authenticated user privileges to trusted personnel only. Network segmentation and monitoring of RPC traffic can help detect anomalous malformed ACL submissions. Employ runtime memory protection mechanisms and enable detailed logging to detect crashes or memory exposure events. Regularly audit and rotate credentials to reduce the risk of unauthorized authenticated access. Engage with the OpenAFS Foundation or community to obtain patches or updates as they become available. Additionally, consider deploying application-layer firewalls or RPC proxies that can validate ACL formats before they reach the fileserver or clients.