Untrusted Environment Variable Vulnerability in GNU C Library
CVE-2025-4802

7.8HIGH

Key Information:

Vendor: The Gnu C Library
Status: Glibc
Vendor: CVE Published:; 16 May 2025

🔔 Create The Gnu C Library Vulnerability Alert

What is CVE-2025-4802?

CVE-2025-4802 is a notable vulnerability found in the GNU C Library (glibc), specifically affecting versions 2.27 to 2.38. This library serves as a core component of many Unix-like operating systems, providing essential functions for system calls and standard libraries required by applications. The vulnerability arises from an untrusted LD_LIBRARY_PATH environment variable, which allows attackers to manipulate the dynamic loading of shared libraries in statically compiled setuid binaries that utilize the dlopen functionality. If exploited, this could enable an attacker to introduce malicious libraries into applications, potentially leading to unauthorized code execution. The serious nature of this vulnerability presents significant risks for organizations that rely on affected versions of glibc, as it may compromise system integrity and security.

Potential impact of CVE-2025-4802

Unauthorized Code Execution: Exploitation of this vulnerability could allow attackers to execute arbitrary code within the context of a privileged application. This level of access could potentially lead to full system compromise, enabling further exploitation and control over affected systems.
Data Breaches: Given that glibc is widely utilized in many applications and systems, a successful attack could result in unauthorized access to sensitive data. This could include personally identifiable information (PII), financial details, or confidential business data, leading to significant risks for privacy and regulatory compliance.
Increased Attack Surface: As this vulnerability affects a critical component in numerous applications, its presence may heighten the overall vulnerability landscape of an organization. Attackers could exploit this flaw to gain initial access to systems, which might facilitate lateral movement within networks or act as a stepping stone for subsequent attack vectors, further escalatating the security risks.

Affected Version(s)

glibc 2.27 < 2.39

References

https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820...

https://sourceware.org/bugzilla/show_bug.cgi?id=32976

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
May 15, 2025