Home

Description

A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

PUBLISHED Reserved 2025-06-06 | Published 2025-06-06 | Updated 2025-11-20 | Assigner redhat




HIGH: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Incorrect Privilege Assignment

Product status

Default status
unaffected

0.8.0 (semver) before 0.11.1
affected

Default status
affected

sha256:a6f29da891174e57fcfd131da7aa90c50459ba24164111b83120a1b91f2eabba (rpm) before *
unaffected

Default status
affected

Default status
affected

Default status
unaffected

Default status
affected

Default status
affected

Timeline

2025-06-03:Reported to Red Hat.
2025-01-15:Made public.

References

access.redhat.com/errata/RHSA-2025:12359 (RHSA-2025:12359) vendor-advisory

access.redhat.com/security/cve/CVE-2025-5791 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2370001 (RHBZ#2370001) issue-tracking

crates.io/crates/users

github.com/ogham/rust-users/issues/44

rustsec.org/advisories/RUSTSEC-2025-0040.html

cve.org (CVE-2025-5791)

nvd.nist.gov (CVE-2025-5791)

Download JSON