Home

Description

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

PUBLISHED Reserved 2025-12-29 | Published 2026-01-20 | Updated 2026-01-22 | Assigner glibc

Problem types

CWE-908 Use of Uninitialized Resource

Product status

Default status
unaffected

2.0 (custom)
affected

Credits

Vitaly Simonovich finder

References

www.openwall.com/lists/oss-security/2026/01/20/3

sourceware.org/bugzilla/show_bug.cgi?id=33814

cve.org (CVE-2025-15281)

nvd.nist.gov (CVE-2025-15281)

Download JSON