CVE-2025-4802

Published: 5/16/2025 Last updated: 5/20/2025 Reserved: 5/15/2025

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

CNA assigner: glibc (3ff69d7a-14f2-4f67-a097-88dee7810d18) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.8	High	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Opam packages affected (1)

gettext-stub

Products affected (1)

Product	Vendor	Version
glibc	The GNU C Library	All versions prior to version 42059b6319661583b3080cab9b595d4f8ac48128

References (4)

https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
https://sourceware.org/bugzilla/show_bug.cgi?id=32976
http://www.openwall.com/lists/oss-security/2025/05/16/7
http://www.openwall.com/lists/oss-security/2025/05/17/2