Vulnerability DatabaseCVE-2015-9542

CVE-2015-9542:
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2015-9542 affects the pam_radius authentication module version 1.4.0 and earlier. The vulnerability was discovered in the add_password function within pam_radius_auth.c, where incorrect password length checking could lead to security issues. The vulnerability was publicly disclosed and patched in February 2020 (NVD, Ubuntu Notice).

Technical details

The vulnerability stems from improper password length validation in the add_password() function of pam_radius_auth.c. Specifically, the function performed an incorrect memcpy operation using strlen(password) instead of the properly bounded length variable, leading to a potential stack-based buffer overflow (FreeRADIUS Commit).

Impact

The vulnerability could allow an attacker to cause a denial of service (DoS) by crashing applications using the PAM stack for authentication. While arbitrary code execution might be theoretically possible, this depends on various factors including the application, C library, and compiler settings (Debian LTS).

Mitigation and workarounds

The vulnerability was fixed in multiple distributions through security updates: Ubuntu released fixes for versions 19.10, 18.04, 16.04, 14.04, and 12.04 (Ubuntu Notice), Debian provided updates for Debian 8 'Jessie' (version 1.3.16-4.4+deb8u1) and Debian 9 'Stretch' (version 1.3.16-5+deb9u1) (Debian LTS).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.5

Score

Published February 24, 2020

Severity HIGH

CNA Score N/A

Affected Technologies

Linux Debian
Linux Ubuntu

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 82.8

Exploitation Probability (EPSS) 1.9

Affected packages and libraries

pam_radius
pam_radius-32bit

Sources

NVD
Debian Security Tracker
- Debian 8, 9, 10, 11, 12 Severity HIGHHas FixAdded at: Nov 23, 2021
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025
Ubuntu Security Tracker
- Ubuntu 14.04 Severity MEDIUMHas FixAdded at: Mar 28, 2022
- Ubuntu 16.04, 18.04, 19.10 Severity MEDIUMHas FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-23745	HIGH	8.2	JavaScript	argo-workflows-fips-3.6	No	Yes	Jan 16, 2026
CVE-2026-23535	HIGH	8	Python	wlc	No	Yes	Jan 16, 2026
CVE-2026-23490	HIGH	7.5	Python	pyasn1	No	Yes	Jan 16, 2026
CVE-2026-23643	MEDIUM	5.4	CakePHP	cakephp	No	Yes	Jan 16, 2026
CVE-2025-61873	LOW	2.6	Linux Debian	request-tracker4	No	Yes	Jan 16, 2026