Skip to main content

UNIX v4 CVE-2025-71263

| EUVDEUVD-2025-208655 HIGH
Classic Buffer Overflow (CWE-120)
2026-03-13 mitre
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local shell required (AV:L) with any unprivileged user account (PR:L), no user interaction, straightforward stack overflow (AC:L) yielding full root (C:H/I:H/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 11, 2026 - 21:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 11, 2026 - 21:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 11, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
Jun 11, 2026 - 21:22 NVD
7.4 (HIGH) 7.8 (HIGH)
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2025-208655
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:38 nvd
HIGH 7.4

DescriptionNVD

In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments.

AnalysisAI

Local privilege escalation in UNIX Fourth Research Edition (v4) su command allows any local user to gain root via a fixed 100-byte buffer overflow in the 'password' variable. EPSS is negligible (0.01%) and no public exploit identified at time of analysis; practical relevance is minimal since UNIX v4 survives only in a handful of historical lab and museum environments. Of historical and academic interest rather than operational risk.

Technical ContextAI

UNIX Fourth Edition is the 1973 Bell Labs research release of UNIX, the first version rewritten in C. The su utility reads a user-supplied password into a stack-allocated character array of fixed size (100 bytes) without bounds checking, the textbook CWE-120 classic buffer copy without checking size of input. Because su is a setuid-root program, overflowing the stack buffer lets an unprivileged local user overwrite saved return addresses or adjacent data and redirect execution while retaining the root euid. The CPE (cpe:2.3:a:at&t_bell_labs:unix:*) and 'Buffer Overflow' tag confirm the issue is scoped to the original AT&T Bell Labs UNIX v4 source tree, not modern Unix-like systems.

RemediationAI

No vendor-released patch identified at time of analysis - AT&T Bell Labs UNIX v4 has been unsupported for roughly five decades, so the only durable fix is to retire the system or migrate to a maintained Unix-like OS. Operators of historical/lab installations (e.g., TUHS-restored PDP-11 environments) can mitigate by removing the setuid bit from /bin/su (trade-off: legitimate users can no longer switch to root and must log in directly on the console), restricting shell access to trusted accounts only, or rebuilding su from source with a bounded input routine that caps password reads at the 100-byte buffer length. See the sigma-star write-up at https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/ and the oss-security threads at http://www.openwall.com/lists/oss-security/2026/03/20/6 and http://www.openwall.com/lists/oss-security/2026/03/21/4 for technical detail and discussion.

Share

CVE-2025-71263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy