| Name | CVE-2025-46802 |
| Description | For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1105191 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| screen (PTS) | bullseye | 4.8.0-6 | vulnerable |
| bookworm | 4.9.0-4 | vulnerable |
| forky, sid, trixie | 4.9.1-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| screen | source | (unstable) | 4.9.1-3 | unimportant | | 1105191 |
Notes
Fixed by: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a
https://www.openwall.com/lists/oss-security/2025/05/12/1
Has potential to break some reattach use cases, but the specific use case
was broken already before.
screen in Debian not installed setuid or setgid