{
  "threat_severity" : "Moderate",
  "public_date" : "2025-12-05T00:00:00Z",
  "bugzilla" : {
    "description" : "util-linux: util-linux: Heap buffer overread in setpwnam() when processing 256-byte usernames",
    "id" : "2419369",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2419369"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1696",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "util-linux-0:2.40.2-15.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1852",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "util-linux-0:2.32.1-48.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1852",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "util-linux-0:2.32.1-48.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1913",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "util-linux-0:2.37.4-21.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-04T00:00:00Z",
    "advisory" : "RHSA-2026:1913",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "util-linux-0:2.37.4-21.el9_7"
  }, {
    "product_name" : "Red Hat Ceph Storage 7",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2800",
    "cpe" : "cpe:/a:redhat:ceph_storage:7::el9",
    "package" : "rhceph/rhceph-7-rhel9:sha256:485411749726179fe5cd880e2cf308261b35150e4b356ddb7100f52e02b2e353"
  }, {
    "product_name" : "Red Hat Ceph Storage 8",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2737",
    "cpe" : "cpe:/a:redhat:ceph_storage:8::el9",
    "package" : "rhceph/rhceph-8-rhel9:sha256:2325f237ab329cb3f1d3db4da40ed19f68d6daa2a5902c71be3f0d3cfcadd503"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "release_date" : "2026-02-26T00:00:00Z",
    "advisory" : "RHSA-2026:3406",
    "cpe" : "cpe:/a:redhat:ceph_storage:9::el10",
    "package" : "rhceph/rhceph-9-rhel9:sha256:53a72419a7e4f4b332b9c6759ff1c389f226e26599236bc770d367c68bba911a"
  }, {
    "product_name" : "Red Hat Insights proxy 1.5",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2485",
    "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9",
    "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:975a1e501a8520df83f3f4114e72a71384ff1866ec99c7a45fffbf8c76ef5cbc"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-02-11T00:00:00Z",
    "advisory" : "RHSA-2026:2563",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:sha256:48cf7cf48dfadb17f9357bf1894a5d0393551a893faa8b0ea0e11fe1ffed497f"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-03-18T00:00:00Z",
    "advisory" : "RHSA-2026:4943",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "util-linux-ng",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "util-linux",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Hardened Images 1",
    "fix_state" : "Affected",
    "package_name" : "util-linux",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Will not fix",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-14104\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14104" ],
  "name" : "CVE-2025-14104",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}