CVE-2025-14104

NameCVE-2025-14104
DescriptionA flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122058

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
util-linux (PTS)bullseye (security), bullseye2.36.1-8+deb11u2vulnerable
bookworm2.38.1-5+deb12u3vulnerable
bookworm (security)2.38.1-5+deb12u1vulnerable
trixie2.41-5vulnerable
forky2.41.2-4vulnerable
sid2.41.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
util-linuxsource(unstable)2.41.3-11122058

Notes

[trixie] - util-linux <no-dsa> (Minor issue)
[bookworm] - util-linux <no-dsa> (Minor issue)
[bullseye] - util-linux <postponed> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2419369
https://github.com/util-linux/util-linux/issues/3585
https://github.com/util-linux/util-linux/pull/3586
Fixed by: https://github.com/util-linux/util-linux/commit/aaa9e718c88d6916b003da7ebcfe38a3c88df8e6
Fixed by: https://github.com/util-linux/util-linux/commit/9a36d77012c4c771f8d51eba46b6e62c29bf572a
Search for package or bug name: Reporting problems