CVE-2025-4802

7.8 HIGH
Published: May 16, 2025 Modified: November 03, 2025
View on NVD

Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://sourceware.org/bugzilla/show_bug.cgi?id=32976
Source: 3ff69d7a-14f2-4f67-a097-88dee7810d18
Issue Tracking
https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
Source: 3ff69d7a-14f2-4f67-a097-88dee7810d18
Patch
http://www.openwall.com/lists/oss-security/2025/05/16/7
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
http://www.openwall.com/lists/oss-security/2025/05/17/2
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Mailing List
https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html
Source: af854a3a-2127-422b-91ae-364da2661108

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.8 / 10.0
EPSS (Exploit Probability)
0.0%
1th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-426

Affected Vendors

gnu

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A