CVE-2025-14282

NameCVE-2025-14282
Descriptionprivilege escalation via unix stream socket forwarding
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6086-1
Debian Bugs1123069

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dropbear (PTS)bullseye2020.81-3+deb11u2fixed
bullseye (security)2020.81-3+deb11u3fixed
bookworm2022.83-1+deb12u3fixed
trixie2025.88-2vulnerable
trixie (security)2025.89-1~deb13u1fixed
forky, sid2025.89-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dropbearsourcebullseye(not affected)
dropbearsourcebookworm(not affected)
dropbearsourcetrixie2025.89-1~deb13u1DSA-6086-1
dropbearsource(unstable)2025.89-11123069

Notes

[bookworm] - dropbear <not-affected> (Vulnerable code introduced later)
[bullseye] - dropbear <not-affected> (Vulnerable code introduced later)
https://github.com/mkj/dropbear/pull/391
https://github.com/mkj/dropbear/pull/394
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2025q4/002390.html
https://github.com/turistu/odds-n-ends/blob/main/CVE-2025-14282.md
Search for package or bug name: Reporting problems