CVE-2025-15281

CVE-2025-15281: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory

Vendor The Gnu C Library
Product glibc
Weakness CWE-908
Published January 20, 2026
Last update January 22, 2026

CVSS base score

What the vulnerability does

01Description

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Key dates

02Disclosure timeline

January 20, 2026 CVE published
January 22, 2026 Record updated