Description
Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the `configure` script.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79
Scores
CVSS v3
4.6
EPSS
0.0007
EPSS Percentile
21.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-787
Status
published
Products (1)
troglobit/finit
>= 4.2, < 4.12
Published
May 06, 2025
Tracked Since
Feb 18, 2026