CVE-2025-4802

CVSS 7.8 - HIGH

Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Affected Products

1

Vendor	Product	Version
gnu	glibc	`All versions`

References

https://sourceware.org/bugzilla/show_bug.cgi?id=32...

https://sourceware.org/cgit/glibc/commit/?id=1e185...

http://www.openwall.com/lists/oss-security/2025/05...

http://www.openwall.com/lists/oss-security/2025/05...

https://lists.debian.org/debian-lts-announce/2025/...

Weakness Types

CWE-426

CVE Information

CVE ID:: CVE-2025-4802
Published:: 2025-05-16
Modified:: 2025-11-03
CVSS Score:: 7.8
Severity:: HIGH
Vector:: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Vendors

gnu

Quick Actions

View on NVD Find Similar CVEs

CVSS Severity Scale

0.0 - 3.9 LOW

4.0 - 6.9 MEDIUM

7.0 - 8.9 HIGH

9.0 - 10.0 CRITICAL