CVE-2025-5278: 
Linux Debian vulnerability analysis and mitigation

A heap buffer under-read vulnerability (CVE-2025-5278) was discovered in GNU Coreutils' sort utility. The vulnerability affects the begfield() function when processing traditional key specification syntax, potentially allowing access to memory outside the allocated buffer. This vulnerability was discovered in May 2025 and affects GNU Coreutils versions from 7.2 onwards (OSS Security, NVD).

The vulnerability occurs when the traditional key specification syntax (+POS1[.C1][OPTS]) is used with UINTMAX_MAX as the character position value. The begfield() function in src/sort.c performs unsafe pointer arithmetic that leads to integer wraparound, resulting in a pointer that points one byte before the start of an allocated heap buffer. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L (NVD, OSS Security).

When exploited, this vulnerability could lead to a crash of the application or potential leakage of sensitive data through out-of-bounds memory reads. The impact is limited to scenarios where a user runs the sort utility with specifically crafted command-line arguments (NVD).

A fix has been implemented and committed to the GNU Coreutils repository. The solution involves reverting to the more verbose code style from coreutils 7.1, which avoids the issue. The fix is available in the commit 8c9602e3a145e9596dc1a63c6ed67865814b6633 (OSS Security).