CVE-2025-40909: 
Alma Linux vulnerability analysis and mitigation

CVE-2025-40909 is a race condition vulnerability in Perl threads that affects versions from 5.13.6 before 5.41.13. The vulnerability occurs when a directory handle is open at thread creation, causing the process-wide current working directory to be temporarily changed in order to clone that handle for the new thread. This change is visible from any third (or more) thread already running, which may lead to unintended operations such as loading code or accessing files from unexpected locations (NVD, OSS Security).

The vulnerability was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6. The issue stems from the use of fchdir in Perldirpdup from sv.c, which affects the global process working directory during thread creation. The CVSS v3.1 base score is 5.9 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD, Ubuntu).

The vulnerability can allow a local attacker to exploit the race condition to perform unintended operations such as loading code or accessing files from unexpected locations. This could potentially lead to arbitrary code execution when file operations target unintended paths. The impact is particularly severe in multi-threaded applications where directory handles are used (OSS Security).

A patch has been released that modifies the directory handle cloning mechanism to use fdopendir and dup instead of fchdir, preventing the race condition. The fix is included in Perl version 5.41.13. Users are advised to upgrade to this version or apply the patch provided in commit 918bfff86ca8d6d4e4ec5b30994451e0bd74aba9 (GitHub Patch).