DEBIAN-CVE-2024-3596

DEBIAN-CVE-2024-3596 PUBLISHED CVSS 9 CRITICAL

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Risk Scores

CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:11	freeradius	0, 3.0.21+dfsg-2.2, 3.0.21+dfsg-2.2+deb11u1
Debian:14	freeradius	0, 0
Debian:12	freeradius	0, 3.2.1+dfsg-4, 3.2.2+dfsg-1~exp1
Debian:13	freeradius	0, 0

Exploit Intelligence

alperenugurlu/CVE-2024-3596-Detector (github-poc)
AccessResponse.java (github-poc)
config.c (github-poc)
PHSA-2025-5.0-0545.json (github-poc)

Timeline

Jul 9, 2024 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2024-3596 advisory

Open in Interactive Console →