CVE-2025-4802: glibc¶

Title¶

CVE-2025-4802: glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH

Summary¶

A statically linked setuid binary that calls dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo) may incorrectly search LD_LIBRARY_PATH to determine which library to load, leading to the execution of library code that is attacker controlled.

The only viable vector for exploitation of this bug is local, if a static setuid program exists, and that program calls dlopen, then it may search LD_LIBRARY_PATH to locate the SONAME to load. No such program has been discovered at the time of publishing this advisory, but the presence of custom setuid programs, although strongly discouraged as a security practice, cannot be discounted.

Public disclosure date: May 16, 2025

EL9¶

Fully mitigated since version: 2.34-60.el9.security.0.2 available October 3, 2023
Fixed in upstream version: 2.34-168.el9_6.19 available June 9, 2025

EL8¶

Fixed in upstream version: 2.28-251.el8_10.22 available June 9, 2025

Note on fixes¶

Since this vulnerability affects static linking, what matters is whether the system used to build (not run!) the program has (or had) vulnerable glibc or not.