CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4802: Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of...

7.8 CVSS

Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Classification

CVE ID: CVE-2025-4802

CVSS Base Severity: HIGH

CVSS Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem Types

CWE-426 Untrusted Search Path

Affected Products

Vendor: The GNU C Library

Product: glibc

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.38% (scored less or equal to compared to others)

EPSS Date: 2025-06-14 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4802
https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
https://sourceware.org/bugzilla/show_bug.cgi?id=32976

Timeline

2025-05-16 20:40:17 UTC
CVE

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of...