CVE-2025-14104 MEDIUM

CVE-2025-14104: Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames

Vendor Util-Linux
Product util-linux
Weakness CWE-125
Published December 5, 2025
Last update June 29, 2026

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Key dates

02Disclosure timeline

December 5, 2025 CVE published
June 29, 2026 Record updated