The tuned service in Red Hat Enterprise Linux 9, which adjusts system settings based on selected profiles, contained two vulnerabilities. CVE-2024-52336 allows attackers to pass arbitrary scripts via the `script_pre` and `script_post` options that are executed with root privileges, posing a privilege escalation risk. CVE-2024-52337 involves improper sanitization of the `instance_name` parameter in the `instance_create()` method, potentially leading to unexpected behavior or security issues due to unsafe input handling. Red Hat has issued an important security advisory (RHSA-2024:10384) with updates that fix these vulnerabilities across various RHEL 9 product variants and architectures.

If exploited, CVE-2024-52336 could allow an attacker to execute arbitrary scripts as root, leading to full system compromise. CVE-2024-52337's impact stems from improper input sanitization, which could cause security issues related to unsafe handling of instance names, potentially enabling further attacks or system instability. Both vulnerabilities affect Red Hat Enterprise Linux 9 and its variants, impacting system security and integrity.

Red Hat has released an official security update (RHSA-2024:10384) that addresses these vulnerabilities. Users of Red Hat Enterprise Linux 9 and its variants should apply the updated tuned packages as detailed in the Red Hat advisory and article https://access.redhat.com/articles/11258. Applying this update mitigates the vulnerabilities by correcting the script execution and input sanitization issues. No additional mitigation steps are indicated by the vendor advisory.