CVE-2025-14104: A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()`…

medium6.1CVSS 3.1

AVLACLPRLUINSUCLINAH

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Affected

7 ranges

Vendor	Product	Version range	Fixed in
debian	util-linux	< util-linux 2.41.3-1 (forky)	util-linux 2.41.3-1 (forky)
kernel	util-linux	>= 0 < 2.41.3-1	2.41.3-1
msrc	azl3_util-linux_2.40.2-1_on_azure_linux_3.0	—	—
msrc	azl3_util-linux_2.40.2-3_on_azure_linux_3.0	—	—
msrc	cbl2_util-linux_2.37.4-10_on_cbl_mariner_2.0	—	—
msrc	cbl2_util-linux_2.37.4-9_on_cbl_mariner_2.0	—	—
util-linux	util-linux	< 2.41.3	2.41.3

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

osv6.1MEDIUM