CVE-2025-4802

HIGH

GNU C Library <2.39 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4802. PoCs published by Betim-Hodza.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-4802, demonstrating privilege escalation via untrusted LD_LIBRARY_PATH in statically compiled setuid binaries that call dlopen(). The exploit includes a legitimate shared object, a malicious shared object that spawns a root shell, and a vulnerable setuid binary to demonstrate the attack.

Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Exploits (1)

nomisec WORKING POC 1 stars

by Betim-Hodza · poc

https://github.com/Betim-Hodza/CVE-2025-4802-Proof-of-Concept

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-4802, demonstrating privilege escalation via untrusted LD_LIBRARY_PATH in statically compiled setuid binaries that call dlopen(). The exploit includes a legitimate shared object, a malicious shared object that spawns a root shell, and a vulnerable setuid binary to demonstrate the attack.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: GNU C Library (glibc) versions 2.27–2.38

No auth needed

Prerequisites: Statically compiled setuid binary that calls dlopen() · Attacker-controlled LD_LIBRARY_PATH · Vulnerable glibc version (2.27–2.38)

MITRE ATT&CK

T1548.001 - Setuid and Setgid

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (5)

Core 5

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/05/msg00033.html

Issue Tracking

https://sourceware.org/bugzilla/show_bug.cgi?id=32976

Patch

https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e

Mailing List

http://www.openwall.com/lists/oss-security/2025/05/16/7

Exploit, Mailing List

http://www.openwall.com/lists/oss-security/2025/05/17/2

Scores

CVSS v3 7.8

EPSS 0.0039

EPSS Percentile 30.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-426

Status published

Products (1)

gnu/glibc 2.27 - 2.38

Published May 16, 2025

Tracked Since Feb 18, 2026