SB2025073123 - Race condition in Perl
Published: July 31, 2025
Security Bulletin ID
SB2025073123
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Race condition (CVE-ID: CVE-2025-40909)
The vulnerability allows a local user to tamper with application's behavior.
The vulnerability exists due to a race condition if a directory handle is open at thread creation. A local user can exploit the race and force the application to load code or access files from unexpected location.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2025/05/23/1
- http://www.openwall.com/lists/oss-security/2025/05/30/4
- http://www.openwall.com/lists/oss-security/2025/06/02/2
- http://www.openwall.com/lists/oss-security/2025/06/02/5
- http://www.openwall.com/lists/oss-security/2025/06/02/6
- http://www.openwall.com/lists/oss-security/2025/06/02/7
- http://www.openwall.com/lists/oss-security/2025/06/03/1
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
- https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
- https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
- https://github.com/Perl/perl5/issues/10387
- https://github.com/Perl/perl5/issues/23010
- https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
- https://www.openwall.com/lists/oss-security/2025/05/22/2