What is the CVSS score of EUVD-2025-16945?

EUVD-2025-16945 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Rust are affected by EUVD-2025-16945?

CVE-2025-5791 is a privilege escalation vulnerability in Rust's user crate that could allow attackers to gain unauthorized root-level access on affected systems.. A patch is available.

How to fix or mitigate EUVD-2025-16945?

Within 24 hours: Identify all systems and applications using the Rust user crate and document current deployment inventory. Within 7 days: Implement compensating controls by restricting group membership policies and enabling enhanced audit logging for privilege escalation attempts. Within 30 days: Monitor for vendor patch release and establish an expedited patching process; consider isolating critical systems if patch remains unavailable.

Rust EUVD-2025-16945

| CVE-2025-5791 HIGH

Incorrect Privilege Assignment (CWE-266)

2025-06-06 secalert@redhat.com

GHSA-m65q-v92h-cm7q

Privilege Escalation Red Hat Rust Suse

7.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Apr 06, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-16945

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 14:15 nvd

HIGH 7.1

DescriptionNVD

A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

AnalysisAI

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Technical ContextAI

The vulnerability exists in the Rust 'users' crate, a library used for Unix/Linux user and group enumeration. The flaw stems from CWE-266 (Incorrect Privilege Assignment), specifically in the group listing logic. The vulnerability manifests when the crate's functions enumerate user groups and encounter a boundary condition: systems using getgroups() or similar APIs may incorrectly process group membership when the actual group count is below 1024 groups. This causes erroneous inclusion of group ID 0 (root) in the returned group list, even when the user is not actually a member of that group. The underlying issue likely involves buffer allocation logic, group enumeration loop termination, or group ID filtering that fails to properly validate group membership before inclusion in the access list.

RemediationAI

Remediation steps: (1) Identify all Rust projects and binaries with the 'users' crate as a dependency using 'cargo tree' or dependency auditing tools; (2) Update the 'users' crate to the patched version (release version number not provided in submission—consult the official Rust users crate repository on crates.io and GitHub for the fix); (3) Rebuild and redeploy affected Rust binaries; (4) For interim mitigation, restrict local user access on systems where feasible, implement AppArmor/SELinux policies to prevent unprivileged users from executing Rust binaries relying on users crate, or isolate service accounts to single-group membership; (5) Monitor audit logs (ausearch, journalctl) for unexpected privilege escalations or root group access by non-root users.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Ubuntu

Priority: Medium

rust-users

Release	Status	Version
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	DNE	-
plucky	ignored	end of life, was needs-triage

EUVD-2025-16945 vulnerability details – vuln.today

Back