CVE-2025-6297

HIGH EPSS 26.6%
Published Jul 1, 20251y ago · Modified Jun 17, 20262w ago
8.2 CVSS 3.1
High
Find Similar
Published Jul 1, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
26.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-732

Affected Products 1

VendorProductVersionRange
debiandpkg* <1.22.21

References 1

  • git.dpkg.org https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
    Patch

Remediation

  • git.dpkg.org https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=ed6bbd445dd8800308c67236ba35d08004c98e82
    Patch