CVE-2025-29906: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-29906 affects Finit, a fast init system for Linux systems. The vulnerability was discovered and disclosed on April 29, 2025, impacting versions from 3.0-rc1 to versions prior to 4.11. This security flaw in Finit's bundled getty implementation allows unauthorized users to bypass authentication mechanisms (NVD, Security Online).

The vulnerability stems from a flaw in how Finit's built-in getty handles the tty configuration directive. The bundled implementation can bypass the standard /bin/login authentication process when configured to use the internal getty for certain terminals. The vulnerability has been assigned a CVSS v3.1 score of 8.6 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local access requirements but high impact potential (GitHub Advisory).

When exploited, this vulnerability allows an attacker to log in as any user without requiring authentication, potentially including root access if enabled. This poses a significant security risk, particularly in multi-user environments, development boards, or systems exposed to physical access or serial terminal connections (Security Online).

The vulnerability has been patched in Finit version 4.11. For users unable to upgrade immediately, a workaround exists by using an external getty implementation, such as agetty from the distribution. The workaround can be implemented by modifying the Finit tty configuration files to explicitly call the external getty binary, for example: tty [12345] /sbin/agetty /dev/ttyAMA0 xterm noclear (GitHub Advisory, GitHub Commit).