Vulnerability DatabaseCVE-2025-8058

CVE-2025-8058:
Rocky Linux vulnerability analysis and mitigation

Overview

A double-free vulnerability (CVE-2025-8058) was discovered in the regcomp function of the GNU C Library (glibc) versions 2.4 through 2.41. The vulnerability was disclosed on July 23, 2025, affecting all architectures and ABIs supported by the GNU C library (NVD, Snyk DB).

Technical details

The vulnerability occurs during bracket expression parsing within the regcomp function when a previous allocation fails. This can be triggered either by a malloc failure or by using an interposed malloc that injects random malloc failures. The vulnerability has been assigned CWE-415 (Double Free) and received a CVSS v3.1 base score of 4.2 (Medium), with attack vector being Local, attack complexity High, and requiring low privileges with user interaction (NVD, Snyk DB).

Impact

The double free vulnerability can potentially allow buffer manipulation depending on how the regex is constructed. The impact assessment indicates low impact on confidentiality, integrity, and availability. While data modification is possible, the attacker has limited control over the consequences of modifications (Snyk DB).

Mitigation and workarounds

As of the disclosure date, there is no fixed version available for affected distributions including Debian 12 and RHEL 8 (Snyk DB).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

5.9

Score

Published July 23, 2025

Severity MEDIUM

CNA Score 5.9

Affected Technologies

Rocky Linux
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 0.7

Exploitation Probability (EPSS) N/A

Affected packages and libraries

glibc-langpack-kw
glibc-langpack-lij

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Aug 07, 2025
Chainguard
- Chainguard Has FixAdded at: Jul 25, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Has FixAdded at: Aug 14, 2025
Debian Security Tracker
- Debian 11 Severity MEDIUMNo FixAdded at: Jul 24, 2025
- Debian 12 Severity MEDIUMHas FixAdded at: Jul 24, 2025
- Debian 13 Has FixAdded at: Jul 24, 2025
- Debian 14 Has FixAdded at: Aug 10, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Sep 18, 2025
Photon Security Advisory
- Photon 5.0 Severity HIGHHas FixAdded at: Sep 03, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Jul 24, 2025
- Red Hat 8 Severity MEDIUMHas FixAdded at: Jul 24, 2025
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jul 24, 2025
- Red Hat 10 Severity MEDIUMHas FixAdded at: Jul 30, 2025
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: Sep 10, 2025
- Rocky 10 Severity MEDIUMHas FixAdded at: Oct 09, 2025
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04 Severity MEDIUMNo FixAdded at: Sep 12, 2025
- Ubuntu 22.04, 24.04 Severity MEDIUMHas FixAdded at: Sep 12, 2025
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: Sep 09, 2025
Wolfi
- Wolfi Has FixAdded at: Jul 25, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Rocky Linux vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55315	CRITICAL	9.9	C#	dotnet-hostfxr-9.0	No	Yes	Oct 14, 2025
CVE-2025-11715	HIGH	8.8	NixOS	cpe:2.3:a:mozilla:firefox_esr	No	Yes	Oct 14, 2025
CVE-2025-11714	HIGH	8.8	NixOS	cpe:2.3:a:mozilla:firefox_esr	No	Yes	Oct 14, 2025
CVE-2025-55247	HIGH	7.3	C#	dotnet10.0	No	Yes	Oct 14, 2025
CVE-2025-55248	MEDIUM	5.7	C#	dotnet-hostfxr-8.0-debuginfo	No	Yes	Oct 14, 2025