CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-5278: Coreutils: heap buffer under-read in gnu coreutils sort via key specification

4.4 CVSS

Description

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Classification

CVE ID: CVE-2025-5278

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.4

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Problem Types

Stack-based Buffer Overflow

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 10, Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat OpenShift Container Platform 4

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.59% (scored less or equal to compared to others)

EPSS Date: 2025-06-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-5278
https://access.redhat.com/security/cve/CVE-2025-5278
https://bugzilla.redhat.com/show_bug.cgi?id=2368764

Timeline

2025-05-27 21:40:21 UTC
CVE

Coreutils: heap buffer under-read in gnu coreutils sort via key specification