CVE-2025-8058

NameCVE-2025-8058
DescriptionThe regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109803

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)bullseye2.31-13+deb11u11vulnerable
bullseye (security)2.31-13+deb11u13vulnerable
bookworm2.36-9+deb12u13fixed
bookworm (security)2.36-9+deb12u7vulnerable
forky, sid, trixie2.41-12fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsourcebookworm2.36-9+deb12u13
glibcsource(unstable)2.41-111109803

Notes

[bullseye] - glibc <postponed> (Minor issue)
https://sourceware.org/bugzilla/show_bug.cgi?id=33185
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2025-0005
Inroduced with: https://sourceware.org/git/?p=glibc.git;a=commit;h=963d8d782fc98fb6dc3a66f0068795f9920c269d
Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=7ea06e994093fa0bcca0d0ee2c1db271d8d7885d

Search for package or bug name: Reporting problems