CVE-2025-4802 | THREATINT

Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

PUBLISHED Reserved 2025-05-15 | Published 2025-05-16 | Updated 2026-02-26 | Assigner glibc

Problem types

CWE-426 Untrusted Search Path

Product status

Default status

unaffected

2.27 (custom) before 2.39

affected

References

www.openwall.com/lists/oss-security/2025/05/16/7

www.openwall.com/lists/oss-security/2025/05/17/2

lists.debian.org/debian-lts-announce/2025/05/msg00033.html

sourceware.org/...d=1e18586c5820e329f741d5c710275e165581380e

sourceware.org/bugzilla/show_bug.cgi?id=32976

cve.org (CVE-2025-4802)

nvd.nist.gov (CVE-2025-4802)

Download JSON