CVE-2025-4802

Name of the Vulnerable Software and Affected Versions GNU C Library versions 2.27 through 2.38

Description The issue is related to the untrusted LD LIBRARY PATH environment variable vulnerability in the GNU C Library. This vulnerability allows an attacker to control the loading of a dynamically shared library in statically compiled setuid binaries that call dlopen, including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo. The vulnerability can be exploited by an attacker to execute arbitrary code with elevated privileges. It is estimated that millions of Linux systems are potentially affected by this issue.

Recommendations To resolve the issue, update the GNU C Library to version 2.39 or later. As a temporary workaround, consider restricting access to the LD LIBRARY PATH environment variable to minimize the risk of exploitation. Additionally, audit setuid binaries and remove any unnecessary ones to reduce the attack surface. Implement access control mechanisms, such as SELinux or AppArmor, to limit the ability to manipulate environment variables.