Bug 2419369 (CVE-2025-14104)

Summary: CVE-2025-14104 util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: MODIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, crizzo, gtanzill, hoffman.viking, jbuscemi, jmitchel, kshier, kzak, pbohmill, slayericefire, stcannon, teagle, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2419370, 2419371    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-05 14:21:04 UTC 
A flaw was found in util-linux. Heap buffer overread when processing 256-byte usernames.
Affects any SUID login-utils utility writing to password database. The setpwnam() function allocates a 256-byte buffer but accesses linebuf[256] when username length equals 256, causing a heap buffer overread.
Comment 2 Karel Zak 2026-01-14 13:10:32 UTC 
Fixed in upstream release v2.41.3, upgrade already available in f44 and f43. 

The bugfix was also backported into f42 (util-linux-2.40.4-8.fc42).

The bug is in very old code (from 1997), so all older versions are affected.
Comment 3 John 2026-01-14 16:16:29 UTC 
Status request: What is the timeline for backporting CVE-2025-14104 to CentOS Stream 9?

Timeline data:
- CVE disclosed: Dec 2024 (13 months ago)
- Upstream fix: Available Dec 2024
- Fedora 43: Patched Dec 2024
- SUSE: Patched Jan 2026
- CentOS Stream 9: util-linux-2.37.4-21 (last update ~Feb 2025)

This affects SUID utilities in multi-user environments. A 13-month delay for a 
moderate CVE with available upstream fixes seems unusual for a security-focused 
distribution.

Is there a backport timeline or reason for the delay?
Comment 4 errata-xmlrpc 2026-02-02 10:05:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1696 https://access.redhat.com/errata/RHSA-2026:1696
Comment 5 Matt 2026-02-03 14:50:13 UTC 
Is there no intention to fix the CVE-2025-14104 vulnerability for CentOS Stream 9?
Comment 6 Karel Zak 2026-02-04 07:25:27 UTC 
The bugfix is expected in RHEL-9.8 and 10.2, it's already in the c10s branch
https://gitlab.com/redhat/centos-stream/rpms/util-linux/-/commit/bde27314c01431821a0dd620a51643ab2170c40b

and in c9s branch by commit:
https://gitlab.com/redhat/centos-stream/rpms/util-linux/-/commit/22261c4fc3ece3f3d74ef4ea37aacc87c38eaf3d
Comment 7 Karel Zak 2026-02-04 07:33:46 UTC 
Adn builds: https://kojihub.stream.centos.org/koji/packageinfo?packageID=2257

util-linux-2.37.4-24.el9 	2025-12-15 11:02:17
util-linux-2.40.2-17.el10 	2025-12-15 10:55:39
Comment 8 errata-xmlrpc 2026-02-04 11:05:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1852 https://access.redhat.com/errata/RHSA-2026:1852
Comment 9 errata-xmlrpc 2026-02-04 19:48:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1913 https://access.redhat.com/errata/RHSA-2026:1913