CVE-2025-9301

NameCVE-2025-9301
DescriptionA vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cmake (PTS)bullseye3.18.4-2+deb11u1vulnerable
bookworm3.25.1-1vulnerable
trixie3.31.6-2vulnerable
forky, sid4.1.1+really3.31.6-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cmakesource(unstable)(unfixed)unimportant

Notes

https://gitlab.kitware.com/cmake/cmake/-/issues/27135
Fixed by: https://gitlab.kitware.com/cmake/cmake/-/commit/37e27f71bc356d880c908040cd0cb68fa2c371b8
Negligible security impact
Search for package or bug name: Reporting problems