CVE-2025-15281

HIGH

GNU Glibc < 2.43 - Use of Uninitialized Resource

Title source: rule

Description

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

References (2)

[Issue Tracking, Patch] https://sourceware.org/bugzilla/show_bug.cgi?id=33814

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2026/01/20/3

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 21.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-908

Status published

Products (1)

gnu/glibc 2.0 - 2.43

Published Jan 20, 2026

Tracked Since Feb 18, 2026