cbcvebase.
CVE-2025-15281
published 2026-01-20

CVE-2025-15281: Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return…

high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianglibc< glibc 2.42-11 (forky)glibc 2.42-11 (forky)
gnuglibc>= 0 < 2.41-12+deb13u22.41-12+deb13u2
gnuglibc>= 0 < 2.42-112.42-11
gnuglibc>= 0 < 2.35-0ubuntu3.132.35-0ubuntu3.13
gnuglibc>= 0 < 2.39-0ubuntu8.72.39-0ubuntu8.7
gnuglibc>= 0 < 2.42-0ubuntu3.12.42-0ubuntu3.1
gnuglibc>= 0 < 2.23-0ubuntu11.3+esm92.23-0ubuntu11.3+esm9
gnuglibc>= 0 < 2.27-3ubuntu1.6+esm62.27-3ubuntu1.6+esm6
gnuglibc>= 0 < 2.31-0ubuntu9.18+esm12.31-0ubuntu9.18+esm1
gnuglibc>= 2.0 < 2.432.43
the_gnu_c_libraryglibc2.0 – 2.42

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH