CVE-2024-51440

High

Published: 12 February 2025

Published

12 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in Nothing Tech Nothing OS v.2.6 allows a local attacker to escalate privileges via the NtBpfService component.

Security Summary

CVE-2024-51440 is a privilege escalation vulnerability in Nothing Tech's Nothing OS version 2.6, specifically affecting the NtBpfService component. This flaw, linked to CWE-276 (Incorrect Default Permissions), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

A local attacker with low privileges (PR:L) can exploit this vulnerability without user interaction (UI:N) and with low complexity (AC:L). Successful exploitation allows the attacker to escalate privileges, potentially gaining full control over the affected device by modifying or accessing restricted resources through the NtBpfService.

Mitigation details and further technical analysis are available in the referenced advisory at https://sharedobject.blog/posts/nothing-bpf/.

Details

CWE(s): CWE-276

References

https://sharedobject.blog/posts/nothing-bpf/
cve@mitre.org