In a recent report, the standard G-Biblioteum Glibc disclosed a vulnerability, registered as CVE-2025-4802, which allows an attacker to execute code with the privileges of another user. This vulnerability is triggered when running applications with the SUID flag. The severity of the issue lies in the fact that the conditions for its exploitation are prevalent, as Glibc developers identified multiple SUID programs that are susceptible to this vulnerability. Consequently, it is plausible that this flaw could be exploited in common SUID programs used in daily activities.
This vulnerability impacts statically linked SUID programs that invoke the Dlopen function. It also extends to programs where the Dlopen function is indirectly invoked through actions like a SetLocale call or an NSS function, such as Getaddrinfo.
The root cause of this vulnerability lies in the handling of the Variant Enterprise LD_LIBRARY_PATH within the context of SUID applications when invoking Dlopen from statically linked programs. This issue arises specifically when LD_LIBRARY_PATH is set to load a dummy library from the attacker’s directory. The vulnerability was initially identified in Glibc version 2.27 (February 2018) and was resolved in the Glibc 2.39 release in February 2024.