2364203 – (CVE-2025-46805) CVE-2025-46805 screen: Race Conditions when Sending Signals

Bug 2364203 (CVE-2025-46805) - CVE-2025-46805 screen: Race Conditions when Sending Signals

Summary: CVE-2025-46805 screen: Race Conditions when Sending Signals

Keywords:
Status:	NEW
Alias:	CVE-2025-46805
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-05 20:20 UTC by OSIDB Bzimport
Modified:	2025-05-13 18:58 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-05 20:20:41 UTC

In socket.c line 646 and line 882  time-of-check/time-of-use (TOCTOU)
race conditions exist with regards to sending signals to user supplied PIDs in
setuid-root context.

The `CheckPid()` function drops privileges to the real user ID and tests
whether the kernel allows to send a signal to the target PID using these
credentials. The actual signal is sent later via `Kill()`, potentially using
full root privileges. By this time, the PID that was previously checked could
have been replaced by a different, privileged process. It might also be
possible to trick the (privileged) Screen daemon process into sending signals
to itself, since a process is always allowed to send signals to itself.

Currently this should only allow to send SIGCONT and SIGHUP signals, thus the
impact is likely only in the area of a local denial of service or a minor
integrity violation.

Note You need to log in before you can comment on or make changes to this bug.