Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-4802

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Published

2025-05-16T20:15:22.280

Last Modified

2025-06-17T14:09:23.137

Status

Analyzed

Source

3ff69d7a-14f2-4f67-a097-88dee7810d18

Severity

CVSSv3.1: 7.8 (HIGH)

Weaknesses

Type: Secondary
CWE-426

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	glibc	≤ 2.38	Yes

References

https://sourceware.org/bugzilla/show_bug.cgi?id=32976 Issue Tracking (3ff69d7a-14f2-4f67-a097-88dee7810d18)
https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e Patch (3ff69d7a-14f2-4f67-a097-88dee7810d18)
http://www.openwall.com/lists/oss-security/2025/05/16/7 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2025/05/17/2 Exploit, Mailing List (af854a3a-2127-422b-91ae-364da2661108)