#VU103687 Buffer overflow in Glibc - CVE-2025-0395

Cybersecurity Help s.r.o.

Published: 2025-02-06

Vulnerability identifier: #VU103687

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-0395

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Glibc
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when the assert() function fails. A remote attacker can trigger memory corruption and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Glibc: 2.13 - 2.40.9000

External links
https://sourceware.org/bugzilla/show_bug.cgi?id=32582
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001
https://sourceware.org/pipermail/libc-announce/2025/000044.html
https://www.openwall.com/lists/oss-security/2025/01/22/4
https://www.openwall.com/lists/oss-security/2025/01/22/4
https://www.openwall.com/lists/oss-security/2025/01/23/2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler update for glibc

SUSE update for glibc

Ubuntu update for glibc

Fedora 40 update for glibc

Fedora 41 update for glibc

Ubuntu update for glibc

Denial of service in GNU C Library