Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) When a non-x86 platform is detected, cloud-init granted root access to a

Source: Critical Buffer Overflow Patch in Fedora 41 for Cloud-Init CVE-2024-11584