CVE-2025-4802 log

Source
Severity Critical
Remote Unknown
Type Arbitrary code execution
Description
A statically linked setuid binary that calls dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo) may incorrectly search LD_LIBRARY_PATH to determine which library to load, leading to the execution of library code that is attacker controlled.

The only viable vector for exploitation of this bug is local, if a static setuid program exists, and that program calls dlopen, then it may search LD_LIBRARY_PATH to locate the SONAME to load. No such program has been discovered at the time of publishing this advisory, but the presence of custom setuid programs, although strongly discouraged as a security practice, cannot be discounted.
References
https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0002
https://www.openwall.com/lists/oss-security/2025/05/16/7
https://sourceware.org/bugzilla/show_bug.cgi?id=32976
https://nvd.nist.gov/vuln/detail/CVE-2025-4802
https://github.com/advisories/GHSA-8mm9-c4mg-vfjh
Notes
I don't think this can be exploited remotely. The original source [1] says "The only viable vector for exploitation of this bug is local" tho the GitHub SA [2] list the attack vector as remote.
[1]: https://sourceware.org/cgit/glibc/tree/advisories/GLIBC-SA-2025-0002
[2]: https://github.com/advisories/GHSA-8mm9-c4mg-vfjh