Denial of Service Vulnerability in vsftpd Affects Multiple Versions
CVE-2025-14242

6.5MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 10.0 Extended Update Support
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.2 Advanced Update Support
Vendor
CVE Published:
14 January 2026

What is CVE-2025-14242?

A vulnerability in vsftpd has been identified, allowing a denial of service condition. This flaw arises from an integer overflow in the ls command parameter parsing. A remote, authenticated adversary can exploit this vulnerability by sending a specially crafted STAT command containing a specific byte sequence, which may cause the server to become unresponsive.

Affected Version(s)

Red Hat Enterprise Linux 10 0:3.0.5-10.el10_1.1

Red Hat Enterprise Linux 10.0 Extended Update Support 0:3.0.5-9.el10_0.1

Red Hat Enterprise Linux 8 0:3.0.3-36.el8_10.3

References

https://access.redhat.com/errata/RHSA-2026:0605
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0606
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:0608
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.