Fixed in upstream release v2.41.3, upgrade already available in f44 and f43. 

The bugfix was also backported into f42 (util-linux-2.40.4-8.fc42).

The bug is in very old code (from 1997), so all older versions are affected.

Status request: What is the timeline for backporting CVE-2025-14104 to CentOS Stream 9?

Timeline data:
- CVE disclosed: Dec 2024 (13 months ago)
- Upstream fix: Available Dec 2024
- Fedora 43: Patched Dec 2024
- SUSE: Patched Jan 2026
- CentOS Stream 9: util-linux-2.37.4-21 (last update ~Feb 2025)

This affects SUID utilities in multi-user environments. A 13-month delay for a 
moderate CVE with available upstream fixes seems unusual for a security-focused 
distribution.

Is there a backport timeline or reason for the delay?

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1696 https://access.redhat.com/errata/RHSA-2026:1696

Is there no intention to fix the CVE-2025-14104 vulnerability for CentOS Stream 9?

The bugfix is expected in RHEL-9.8 and 10.2, it's already in the c10s branch
https://gitlab.com/redhat/centos-stream/rpms/util-linux/-/commit/bde27314c01431821a0dd620a51643ab2170c40b

and in c9s branch by commit:
https://gitlab.com/redhat/centos-stream/rpms/util-linux/-/commit/22261c4fc3ece3f3d74ef4ea37aacc87c38eaf3d

Adn builds: https://kojihub.stream.centos.org/koji/packageinfo?packageID=2257

util-linux-2.37.4-24.el9 	2025-12-15 11:02:17
util-linux-2.40.2-17.el10 	2025-12-15 10:55:39

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1852 https://access.redhat.com/errata/RHSA-2026:1852

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1913 https://access.redhat.com/errata/RHSA-2026:1913