VIR Vulnerability Intelligence Relay

CVE-2025-4802

medium
Published 2025-06-09 Β· Modified 2025-06-09
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
5.5

Description

RHSA-2025:8686: glibc security update (Moderate)

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata β€” Red Hat Inc. Β· View original β†— Β· Open-Errata-API

Description glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH Red Hat statement This issue can only be exploitable by a local attacker via a static setuid program that calls the dlopen function, causing the library to search LD_LIBRARY_PATH to locate the shared object name to load. No such programs have been found in Red Hat Enterprise Linux at the time of publishing this…

Description

glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

Red Hat statement

This issue can only be exploitable by a local attacker via a static setuid program that calls the dlopen function, causing the library to search LD_LIBRARY_PATH to locate the shared object name to load. No such programs have been found in Red Hat Enterprise Linux at the time of publishing this advisory. However, custom setuid programs, although strongly discouraged as a security practice, may exist and can not be discarded. Due to these reasons, this flaw has been rated with a moderate severity.

CVSS v3: 7.0 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Errata / fixed releases

ProductPackageAdvisoryReleased
Red Hat Enterprise Linux 7.7 Advanced Update Supportglibc-0:2.17-292.el7_7.3RHSA-2025:102202025-07-02T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Supportglibc-0:2.17-326.el7_9.5RHSA-2025:102192025-07-02T00:00:00Z
Red Hat Enterprise Linux 8glibc-0:2.28-251.el8_10.22RHSA-2025:86862025-06-09T00:00:00Z
Red Hat Enterprise Linux 8glibc-0:2.28-251.el8_10.22RHSA-2025:86862025-06-09T00:00:00Z
Red Hat Enterprise Linux 9glibc-0:2.34-168.el9_6.19RHSA-2025:86552025-06-09T00:00:00Z
Red Hat Enterprise Linux 9glibc-0:2.34-168.el9_6.19RHSA-2025:86552025-06-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Supportglibc-0:2.34-100.el9_4.12RHSA-2025:93362025-06-23T00:00:00Z
Red Hat OpenShift Container Platform 4.16rhcos-416.94.202506251808-0RHSA-2025:97652025-07-02T00:00:00Z
Red Hat OpenShift Container Platform 4.17rhcos-417.94.202507021305-0RHSA-2025:102942025-07-09T00:00:00Z
Red Hat OpenShift Container Platform 4.18rhcos-418.94.202506251005-0RHSA-2025:97252025-07-02T00:00:00Z
Red Hat OpenShift Container Platform 4.19rhcos-4.19.9.6.202506252250-0RHSA-2025:97502025-07-01T00:00:00Z
Red Hat Discovery 1.14discovery/discovery-server-rhel9:1.14.5-1749654812RHSA-2025:90282025-06-12T00:00:00Z
Red Hat Discovery 2discovery/discovery-server-rhel9:2.0.0-1752592913RHSA-2025:114872025-07-21T00:00:00Z

Package state

ProductPackageState
Red Hat Enterprise Linux 10glibcNot affected
Red Hat Enterprise Linux 6compat-glibcNot affected
Red Hat Enterprise Linux 6glibcNot affected
Red Hat Enterprise Linux 7compat-glibcNot affected

Apply commands

bash fix
Apply RHSA-2025:10220 for Red Hat Enterprise Linux 7.7 Advanced Update Support
yum update -y glibc
# or:
dnf upgrade -y glibc

Affected

VendorProductVersion
redhatRed Hat Enterprise Linux 10Not affected
redhatRed Hat Enterprise Linux 6Not affected
redhatRed Hat Enterprise Linux 6Not affected
redhatRed Hat Enterprise Linux 7Not affected

OS impact
OSVersionStatusFixed in
redhat rhel9fixed
rockylinux rocky8fixed
debian debianbookwormfixed2.36-9+deb12u11
debian debianbullseyefixed2.31-13+deb11u13
debian debianforkyfixed2.39-4
debian debiansidfixed2.39-4
debian debiantrixiefixed2.39-4
suse slesaffected
rockylinux rocky9fixed
almalinux almalinux9fixedglibc-devel-2.34-168.el9_6.19.aarch64.rpm
almalinux almalinux8fixedglibc-headers-2.28-251.el8_10.22.i686.rpm
redhat rhel8fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.