CVE-2025-6297
HIGH EPSS 26.6%
Published Jul 1, 20251y ago · Modified Jun 17, 20262w ago
8.2 CVSS 3.1
Published Jul 1, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
26.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-732
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| debian | dpkg | * | <1.22.21 |
References 1
- git.dpkg.org https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
Remediation
- git.dpkg.org https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82