{
  "threat_severity" : "Moderate",
  "public_date" : "2025-05-13T16:43:21Z",
  "bugzilla" : {
    "description" : "screen: Local Root Exploit via `logfile_reopen()`",
    "id" : "2364184",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2364184"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-250",
  "details" : [ "Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root` ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges", "A flaw was found in Screen. When running with setuid-root privileged, the  logfile_reopen() function does not drop privileges while operating on a user-supplied path. This vulnerability allows an unprivileged user to create files in arbitrary locations with root ownership." ],
  "statement" : "This vulnerability only affects Screen versions 5.0.0 and above.\nThis is a moderate vulnerability because it allows creation or modification of root-owned files only with controlled PTY output and fixed permissions (0644), without enabling arbitrary code execution or full root access. Exploitation relies on triggering logfile_reopen() by manipulating the logfile’s link count or size, which limits reliability. While it breaks expected privilege boundaries, the impact is constrained to integrity issues like log injection or limited file manipulation, justifying a moderate severity classification.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "screen",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "screen",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23395\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23395" ],
  "name" : "CVE-2025-23395",
  "mitigation" : {
    "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}