← back
CVE-2025-14104

Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames

CVSS 6.1 MEDIUMEPSS 0.2%CWE-125
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
05 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Affected products
Red Hat · Red Hat Ceph Storage 7Red Hat · Red Hat Ceph Storage 8Red Hat · Red Hat Ceph Storage 9Red Hat · Red Hat Enterprise Linux 10Red Hat · Red Hat Enterprise Linux 6Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9Red Hat · Red Hat Hardened ImagesRed Hat · Red Hat Insights proxy 1.5Red Hat · Red Hat In-Vehicle Operating System 1Red Hat · Red Hat OpenShift Container Platform 4Red Hat · Red Hat Update Infrastructure 5util-linux · util-linux

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2026:1696https://access.redhat.com/errata/RHSA-2026:1852https://access.redhat.com/errata/RHSA-2026:1913https://access.redhat.com/errata/RHSA-2026:2485https://access.redhat.com/errata/RHSA-2026:2563https://access.redhat.com/errata/RHSA-2026:2737https://access.redhat.com/errata/RHSA-2026:2800https://access.redhat.com/errata/RHSA-2026:3406https://access.redhat.com/errata/RHSA-2026:4943https://access.redhat.com/errata/RHSA-2026:7180https://access.redhat.com/security/cve/CVE-2025-14104https://bugzilla.redhat.com/show_bug.cgi?id=2419369