SecuriTricks - CVE-2025-8058

Description

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Product(s) Impacted

Vendor	Product	Versions
Gnu	Gnu C Library	2.4-2.41

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-415

Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	gnu	gnu_c_library	2.4-2.41	/	/	/	/	/	/	/

References

https://sourceware.org/bugzilla/show_bug.cgi?id=33185

https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f

CVSS Score

5.9 / 10

CVSS Data - 4.0

Attack Vector: LOCAL
Attack Complexity: HIGH
Attack Requirements: PRESENT
Privileges Required: LOW
User Interaction: PASSIVE
Scope:
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: HIGH
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: July 23, 2025, 8:15 p.m.
Last Modified: July 23, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

3ff69d7a-14f2-4f67-a097-88dee7810d18

CVE-2025-8058