VIR Vulnerability Intelligence Relay

CVE-2015-8325

high
Published 2016-05-01 · Modified 2026-05-22
CVSS v3
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.2
VIR risk
7.8

Description

The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-8325

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2015-8325.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debian7.0affected
debian debian8.0affected
ubuntu ubuntu12.04affected
ubuntu ubuntu14.04affected
ubuntu ubuntu15.10affected
debian debianbookwormfixed1:7.2p2-3
debian debianbullseyefixed1:7.2p2-3
debian debianforkyfixed1:7.2p2-3
debian debiansidfixed1:7.2p2-3
debian debiantrixiefixed1:7.2p2-3

Application impact
VendorProductVersionsFixed
openbsdopenssh{"endIncluding":"7.2"}

References

CWEs

CWE-264 CWE-1262

Verify integrity in audit chain (admin only). AS-IS.