CVE-2025-4802

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://sourceware.org/bugzilla/show_bug.cgi?id=32976	Issue Tracking
https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e	Patch
http://www.openwall.com/lists/oss-security/2025/05/16/7	Mailing List
http://www.openwall.com/lists/oss-security/2025/05/17/2	Exploit Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

History

17 Jun 2025, 14:09

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gnu:glibc::::::::
First Time		Gnu Gnu glibc
References	~~() https://sourceware.org/bugzilla/show_bug.cgi?id=32976 -~~	() https://sourceware.org/bugzilla/show_bug.cgi?id=32976 - Issue Tracking
References	~~() https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e -~~	() https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e - Patch
References	~~() http://www.openwall.com/lists/oss-security/2025/05/16/7 -~~	() http://www.openwall.com/lists/oss-security/2025/05/16/7 - Mailing List
References	~~() http://www.openwall.com/lists/oss-security/2025/05/17/2 -~~	() http://www.openwall.com/lists/oss-security/2025/05/17/2 - Exploit, Mailing List

20 May 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 7.8

19 May 2025, 13:35

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de la variable de entorno no confiable LD_LIBRARY_PATH en GNU C Library versión 2.27 a 2.38 permite al atacante cargar, controlada por un atacante, una librería compartida dinámicamente en binarios setuid compilados estáticamente que llaman a dlopen (incluidas las llamadas internas a dlopen después de setlocale o las llamadas a funciones NSS como getaddrinfo).

17 May 2025, 08:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/05/17/2 -

17 May 2025, 03:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

17 May 2025, 01:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/05/16/7 -

16 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-16 20:15

Updated : 2025-06-17 14:09

NVD link : CVE-2025-4802

Mitre link : CVE-2025-4802

CVE.ORG link : CVE-2025-4802

JSON object : View

Products Affected

gnu

glibc

CWE

CWE-426

Untrusted Search Path

{"id": "CVE-2025-4802", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-05-16T20:15:22.280", "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32976", "tags": ["Issue Tracking"], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18"}, {"url": "https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e", "tags": ["Patch"], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18"}, {"url": "http://www.openwall.com/lists/oss-security/2025/05/16/7", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2025/05/17/2", "tags": ["Exploit", "Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo)."}, {"lang": "es", "value": "La vulnerabilidad de la variable de entorno no confiable LD_LIBRARY_PATH en GNU C Library versi\u00f3n 2.27 a 2.38 permite al atacante cargar, controlada por un atacante, una librer\u00eda compartida din\u00e1micamente en binarios setuid compilados est\u00e1ticamente que llaman a dlopen (incluidas las llamadas internas a dlopen despu\u00e9s de setlocale o las llamadas a funciones NSS como getaddrinfo)."}], "lastModified": "2025-06-17T14:09:23.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29CCC9F6-2130-4DA8-8B5D-7A00337CBC0A", "versionEndIncluding": "2.38", "versionStartIncluding": "2.27"}], "operator": "OR"}]}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18"}

7.8 /10