CVE-2025-4802: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-4802) has been discovered in the GNU C Library versions 2.27 to 2.38, involving an untrusted LDLIBRARYPATH environment variable issue. The vulnerability affects statically compiled setuid binaries that call dlopen, including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo (Wiz Report, GNU Advisory).

The vulnerability allows attacker-controlled loading of dynamically shared libraries in statically compiled setuid binaries through the LDLIBRARYPATH environment variable. When a static setuid program calls dlopen, it may incorrectly search LDLIBRARYPATH to locate the SONAME to load, potentially leading to the execution of attacker-controlled library code. The vulnerability was introduced in version 2.27 and affects versions up to 2.38. The CVSS v3.1 base score is 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Wiz Report, NVD).

The vulnerability could lead to the execution of attacker-controlled library code through compromised setuid binaries. While no specific vulnerable programs have been identified at the time of the advisory's publication, the potential impact is significant for any custom setuid programs that might exist in various environments (Wiz Report, GNU Advisory).

The vulnerability has been fixed in GNU C Library version 2.39. The fix involves proper handling of environment variables in dl-support.c. Some distributions have implemented alternative patches, such as the glibc-owl-alt-sanitize-env.patch, which hardens environment variable usage (OSS Security).