Vulnerability DatabaseCVE-2025-23395

CVE-2025-23395:
Linux Fedora vulnerability analysis and mitigation

Overview

Screen 5.0.0 contains a critical security vulnerability (CVE-2025-23395) discovered in early 2025. When running with setuid-root privileges, the logfile_reopen() function fails to drop privileges while operating on user-supplied paths. The vulnerability specifically impacts systems where Screen is installed with setuid-root privileges, such as Arch Linux and NetBSD (SUSE Bugzilla, NVD).

Technical details

The vulnerability exists in the logfile_reopen() function when Screen runs with setuid-root privileges. The function fails to drop privileges while handling user-supplied paths, allowing unprivileged users to create files in arbitrary locations with root ownership, the invoking user's real group ownership, and file mode 0644. The issue was introduced through commit 441bca708bd which removed the lfsecreopen() function. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Wiz).

Impact

The vulnerability allows unprivileged users to create files in arbitrary locations with root ownership. All data written to the Screen PTY will be logged into this file, enabling privilege escalation to root. Attackers can exploit this by writing new configuration files for tools like sudo or by appending code to privileged shell scripts in system directories (SUSE Bugzilla, Wiz).

Mitigation and workarounds

The issue has been addressed by reintroducing secure file handling during logfile reopen. Distributions are advised not to install Screen with setuid-root privileges. For systems that require multi-user functionality, it is recommended to offer this feature only in an opt-in fashion, such as allowing only members of a trusted group to run a multi-user version of Screen (Openwall, Wiz).

Community reactions

A comprehensive security audit by the SUSE Security Team uncovered this vulnerability, leading to immediate responses from affected distributions. The discovery has prompted discussions about the security implications of setuid-root privileges in Screen installations (Security Online).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.3

Score

Published May 26, 2025

Severity HIGH

CNA Score 7.3

Affected Technologies

Linux Fedora
Linux Red Hat

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 4.1

Exploitation Probability (EPSS) N/A

Affected packages and libraries

screen
screen-debuginfo

Sources

NVD
Alpine Security Tracker
- Alpine 3.21, edge Severity HIGHHas FixAdded at: May 15, 2025
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity HIGHHas FixAdded at: Dec 04, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: May 14, 2025
Seal Security
- Red Hat 6, 7 Severity HIGHHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Fedora vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-24528	HIGH	7.1	Kerberos	libkadm5	No	Yes	Jan 16, 2026
CVE-2026-22857	MEDIUM	6.8	Wolfi	freerdp2	No	Yes	Jan 14, 2026
CVE-2026-22856	MEDIUM	6.8	Wolfi	libwinpr-devel	No	Yes	Jan 14, 2026
CVE-2026-22859	MEDIUM	5.6	Wolfi	freerdp2	No	Yes	Jan 14, 2026
CVE-2026-22858	MEDIUM	5.6	Wolfi	freerdp-debuginfo	No	Yes	Jan 14, 2026