CVE-2025-36244

Summary

IBM AIX 7.2, 7.3, IBM VIOS 3.1, and 4.1, when configured to use Kerberos network authentication, could allow a local user to write to files on the system with root privileges due to improper initialization of critical variables.

Affected Software

VendorProductVersion RangeStatus
IBMAIX7.2affected
IBMAIX7.3affected
IBMVIOS3.1affected
IBMVIOS4.1affected

Weaknesses

  • CWE-454: CWE-454 External Initialization of Trusted Variables or Data Stores

Workarounds

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

 

To preview a fix installation:

installp -a -d fix_name -p all # where fix_name is the name of the

                                            # fix package being previewed.

 

To install a fix package:

installp -a -d fix_name -X all # where fix_name is the name of the

                                            # fix package being installed.

 

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

 

Interim fix management documentation can be found at:

https://www.ibm.com/support/pages/managing-interim-fixes-aix

 

To preview an interim fix installation:

emgr -e ipkg_name -p         # where ipkg_name is the name of the

                                        # interim fix package being previewed.

 

To install an interim fix package:

emgr -e ipkg_name -X         # where ipkg_name is the name of the

                                        # interim fix package being installed.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References