    glibc 2.36-9+deb12u10 (deb)
pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | <2.36-9+deb12u11 |
| Fixed version | 2.36-9+deb12u11 |
| EPSS Score | 0.012% |
| EPSS Percentile | 1st percentile |
Description
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
| Affected range | <2.36-9+deb12u13 |
| Fixed version | 2.36-9+deb12u13 |
| EPSS Score | 0.017% |
| EPSS Percentile | 3rd percentile |
Description
The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.
|
perl 5.36.0-7+deb12u2 (deb)
pkg:deb/debian/perl@5.36.0-7%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | <5.36.0-7+deb12u3 |
| Fixed version | 5.36.0-7+deb12u3 |
| EPSS Score | 0.839% |
| EPSS Percentile | 74th percentile |
Description
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
[experimental] - perl 5.38.0~rc2-1
| Affected range | <5.36.0-7+deb12u3 |
| Fixed version | 5.36.0-7+deb12u3 |
| EPSS Score | 0.010% |
| EPSS Percentile | 1st percentile |
Description
Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
[experimental] - perl 5.40.1-4
|
  openssl 3.0.16-1~deb12u1 (deb)
pkg:deb/debian/openssl@3.0.16-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | <3.0.17-1~deb12u3 |
| Fixed version | 3.0.17-1~deb12u3 |
| EPSS Score | 0.026% |
| EPSS Percentile | 7th percentile |
Description
Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.
| Affected range | <3.0.17-1~deb12u3 |
| Fixed version | 3.0.17-1~deb12u3 |
| EPSS Score | 0.028% |
| EPSS Percentile | 7th percentile |
Description
Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.
| Affected range | >=3.0.11-1~deb12u2 |
| Fixed version | Not Fixed |
| EPSS Score | 0.132% |
| EPSS Percentile | 34th percentile |
Description
OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."
http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html
|
  tar 1.34+dfsg-1.2+deb12u1 (deb)
pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=1.34+dfsg-1.2+deb12u1 |
| Fixed version | Not Fixed |
| EPSS Score | 0.048% |
| EPSS Percentile | 15th percentile |
Description
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).
Disputed tar issue, works as documented per upstream:
https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
| Affected range | >=1.34+dfsg-1.2+deb12u1 |
| Fixed version | Not Fixed |
| EPSS Score | 1.530% |
| EPSS Percentile | 81st percentile |
Description
Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
This is intended behaviour, after all tar is an archiving tool and you
need to give -p as a command line flag
|
Microsoft.NETCore.App.Runtime.linux-x64 8.0.18 (nuget)
pkg:nuget/Microsoft.NETCore.App.Runtime.linux-x64@8.0.18
 Inadequate Encryption Strength
| Affected range | >=8.0.0
<=8.0.20 |
| Fixed version | 8.0.21 |
| CVSS Score | 5.7 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
| EPSS Score | 0.034% |
| EPSS Percentile | 10th percentile |
Description
Microsoft Security Advisory CVE-2025-55248 | .NET Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A MITM (man in the middle) attacker may prevent use of TLS between client and SMTP server, forcing client to send data over unencrypted connection.
Announcement
Announcement for this issue can be found at dotnet/announcements#372
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
- Any .NET 8.0 application running on .NET 8.0.20 or earlier.
- Any .NET 9.0 application running on .NET 9.0.9 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below
.NET 9
| Package name |
Affected version |
Patched version |
| Microsoft.NetCore.App.Runtime.linux-arm |
>= 9.0.0, < =9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.linux-arm64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.linux-musl-arm |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.linux-musl-arm64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.linux-musl-x64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.linux-x64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.osx-arm64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.osx-x64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.win-arm |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.win-arm64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.win-x64 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
| Microsoft.NetCore.App.Runtime.win-x86 |
>= 9.0.0, <= 9.0.9 |
9.0.10 |
.NET 8
| Package name |
Affected version |
Patched version |
| Microsoft.NetCore.App.Runtime.linux-arm |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.linux-arm64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.linux-musl-arm |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.linux-musl-arm64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.linux-musl-x64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.linux-x64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.osx-arm64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.osx-x64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.win-arm |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.win-arm64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.win-x64 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
| Microsoft.NetCore.App.Runtime.win-x86 |
>= 8.0.0, <= 8.0.20 |
8.0.21 |
Advisory FAQ
How do I know if I am affected?
If you have a runtime with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.
How do I fix the issue?
- To fix the issue please install the latest version of .NET 9.0 or .NET 8.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
- If your application references the vulnerable package, update the package reference to the patched version.
- You can list the versions you have installed by running the
dotnet --info command. You will see output like the following;
.NET SDK:
Version: 9.0.100
Commit: 59db016f11
Workload version: 9.0.100-manifests.3068a692
MSBuild version: 17.12.7+5b8665660
Runtime Environment:
OS Name: Mac OS X
OS Version: 15.2
OS Platform: Darwin
RID: osx-arm64
Base Path: /usr/local/share/dotnet/sdk/9.0.100/
.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.
Host:
Version: 9.0.0
Architecture: arm64
Commit: 9d5a6a9aa4
.NET SDKs installed:
9.0.100 [/usr/local/share/dotnet/sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]
Other architectures found:
x64 [/usr/local/share/dotnet]
registered at [/etc/dotnet/install_location_x64]
Environment variables:
Not set
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 9.0 or .NET 8.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2025-55248
Revisions
V1.0 (October 14, 2025): Advisory published.
|
coreutils 9.1-1 (deb)
pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=9.1-1 |
| Fixed version | Not Fixed |
| EPSS Score | 0.018% |
| EPSS Percentile | 4th percentile |
Description
A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.
| Affected range | >=9.1-1 |
| Fixed version | Not Fixed |
| EPSS Score | 0.056% |
| EPSS Percentile | 18th percentile |
Description
In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.
|
libgcrypt20 1.10.1-3 (deb)
pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=1.10.1-3 |
| Fixed version | Not Fixed |
| EPSS Score | 0.228% |
| EPSS Percentile | 46th percentile |
Description
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
| Affected range | >=1.10.1-3 |
| Fixed version | Not Fixed |
| EPSS Score | 0.577% |
| EPSS Percentile | 68th percentile |
Description
cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.
|
apt 2.6.1 (deb)
pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=2.6.1 |
| Fixed version | Not Fixed |
| EPSS Score | 1.509% |
| EPSS Percentile | 81st percentile |
Description
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
|
gnutls28 3.7.9-2+deb12u5 (deb)
pkg:deb/debian/gnutls28@3.7.9-2%2Bdeb12u5?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=3.7.9-2+deb12u5 |
| Fixed version | Not Fixed |
| EPSS Score | 3.795% |
| EPSS Percentile | 88th percentile |
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
|
util-linux 2.38.1-5+deb12u3 (deb)
pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=2.38.1-5+deb12u3 |
| Fixed version | Not Fixed |
| EPSS Score | 0.020% |
| EPSS Percentile | 5th percentile |
Description
A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
|
shadow 1:4.13+dfsg1-1+deb12u1 (deb)
pkg:deb/debian/shadow@1%3A4.13%2Bdfsg1-1%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=1:4.13+dfsg1-1+deb12u1 |
| Fixed version | Not Fixed |
| EPSS Score | 0.206% |
| EPSS Percentile | 43rd percentile |
Description
initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.
- shadow (unimportant)
See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
unknown usernames are not recorded on login failures
|
gcc-12 12.2.0-14+deb12u1 (deb)
pkg:deb/debian/gcc-12@12.2.0-14%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12
| Affected range | >=12.2.0-14+deb12u1 |
| Fixed version | Not Fixed |
| EPSS Score | 0.050% |
| EPSS Percentile | 16th percentile |
Description
libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.
|
