CVE-2025-32022 MEDIUM

CVE-2025-32022: Finit has heap based buffer overwrite in urandom.so plugin

Vendor Troglobit

Product finit

Weakness CWE-787

Published May 6, 2025

Last update May 6, 2025

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Local

Attack complexity High

Privileges required High

User interaction Required

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the `configure` script.

Key dates

02Disclosure timeline

May 6, 2025 CVE published

May 6, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32022 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/787.html

Related vulnerabilities

CVE-2025-32022: Finit has heap based buffer overwrite in urandom.so plugin

01Description

02Disclosure timeline

03References

04Related CVE