CVE-2025-46804: 
Linux Debian vulnerability analysis and mitigation

A minor information leak vulnerability was discovered in GNU Screen that affects both version 5.0.0 and older versions when running with setuid-root privileges. The vulnerability was discovered by the SUSE Security Team and publicly disclosed on May 13, 2025. The issue allows unprivileged users to deduce information about paths that would otherwise not be available through error messages (NVD, SUSE Bug).

The vulnerability exists in the code that inspects the SocketPath with root privileges in screen.c starting at line 849. When using the SCREENDIR environment variable, the code provides detailed error messages that reveal information about file and directory existence and types. The vulnerability has a CVSS v3.1 Base Score of 3.3 (Low) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD, Wiz Report).

The impact of this vulnerability is considered minor, primarily resulting in an information leak that allows unprivileged users to gather intelligence about the filesystem structure and file existence in privileged locations. This could potentially be used as part of a larger attack chain to map out the target system (Wiz Report).

The issue has been addressed with patches that modify the error message handling to only output generic error messages when Screen is installed setuid-root and when the target path is not controlled by the real UID of the process. Additionally, it is recommended not to install Screen with setuid-root privileges at all, or to restrict the multi-user feature to trusted groups only (Openwall).