Bug 2419369 (CVE-2025-14104) - CVE-2025-14104 util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames
Summary: CVE-2025-14104 util-linux: util-linux: Heap buffer overread in setpwnam() whe...
Keywords:
Status: NEW
Alias: CVE-2025-14104
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2419370 2419371
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-05 14:21 UTC by OSIDB Bzimport
Modified: 2026-01-14 16:16 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-12-05 14:21:04 UTC 
A flaw was found in util-linux. Heap buffer overread when processing 256-byte usernames.
Affects any SUID login-utils utility writing to password database. The setpwnam() function allocates a 256-byte buffer but accesses linebuf[256] when username length equals 256, causing a heap buffer overread.
Comment 2 Karel Zak 2026-01-14 13:10:32 UTC 
Fixed in upstream release v2.41.3, upgrade already available in f44 and f43. 

The bugfix was also backported into f42 (util-linux-2.40.4-8.fc42).

The bug is in very old code (from 1997), so all older versions are affected.
Comment 3 John 2026-01-14 16:16:29 UTC 
Status request: What is the timeline for backporting CVE-2025-14104 to CentOS Stream 9?

Timeline data:
- CVE disclosed: Dec 2024 (13 months ago)
- Upstream fix: Available Dec 2024
- Fedora 43: Patched Dec 2024
- SUSE: Patched Jan 2026
- CentOS Stream 9: util-linux-2.37.4-21 (last update ~Feb 2025)

This affects SUID utilities in multi-user environments. A 13-month delay for a 
moderate CVE with available upstream fixes seems unusual for a security-focused 
distribution.

Is there a backport timeline or reason for the delay?
Note You need to log in before you can comment on or make changes to this bug.