CVE-2025-32022

Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the `configure` script.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.3 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/troglobit/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de
https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79

Configurations

No configuration.

History

No history.

Information

Published : 2025-05-06 17:16

Updated : 2025-05-07 14:13

NVD link : CVE-2025-32022

Mitre link : CVE-2025-32022

CVE.ORG link : CVE-2025-32022

JSON object : View

Products Affected

No product.

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2025-32022", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 0.3}]}, "published": "2025-05-06T17:16:12.097", "references": [{"url": "https://github.com/troglobit/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de", "source": "security-advisories@github.com"}, {"url": "https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the `configure` script."}, {"lang": "es", "value": "Finit proporciona un inicio r\u00e1pido para sistemas Linux. El complemento urandom de Finit presenta una vulnerabilidad de sobrescritura del b\u00fafer del mont\u00f3n durante el arranque, lo que provoca que sobrescriba otras partes del mont\u00f3n, lo que podr\u00eda causar inestabilidades aleatorias y un comportamiento indefinido. El complemento urandom est\u00e1 habilitado por defecto, por lo que este error afecta a todos los usuarios de Finit 4.2 o posterior que no lo desactiven expl\u00edcitamente durante la compilaci\u00f3n. Este error se corrigi\u00f3 en Finit 4.12. Se recomienda encarecidamente a quienes no puedan actualizar o implementar la correcci\u00f3n a urandom.c que desactiven el complemento al llamar al script `configure`."}], "lastModified": "2025-05-07T14:13:20.483", "sourceIdentifier": "security-advisories@github.com"}