CVE-2025-4802
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The GNU C Library | glibc | 2.27 < 2.39 | affected |
Weaknesses
- CWE-426: CWE-426 Untrusted Search Path
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2025/05/16/7
- http://www.openwall.com/lists/oss-security/2025/05/17/2
- https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
- https://sourceware.org/bugzilla/show_bug.cgi?id=32976
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.