How to fix EUVD-2025-19381?

During next maintenance window: Apply vendor patches when convenient. Verify incorrect permissions controls are in place.

Is Ubuntu affected by EUVD-2025-19381?

CVE-2025-52991 is a low-severity vulnerability involving incorrect permissions (CVSS 3.2). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

EUVD-2025-19381

| CVE-2025-52991 LOW

2025-06-27 [email protected]

3.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 00:16 euvd

EUVD-2025-19381

Analysis Generated

Mar 16, 2026 - 00:16 vuln.today

CVE Published

Jun 27, 2025 - 14:15 nvd

LOW 3.2

Description

The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.

Analysis

Technical Context

Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Incorrect Default Permissions (CWE-276).

Affected Products

Affected: Nix

Remediation

Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +16

POC: 0

Vendor Status

Ubuntu

Priority: Medium

guix

Release	Status	Version
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
plucky	ignored	end of life, was needs-triage
questing	DNE	-

Debian

Bug #1108318

guix

Release	Status	Fixed Version	Urgency
bullseye	fixed	(unfixed)	end-of-life
bullseye (security)	vulnerable	1.2.0-4+deb11u3	-
sid	vulnerable	1.4.0-9	-
(unstable)	fixed	(unfixed)	-

EUVD-2025-19381 vulnerability details – vuln.today

Back

EUVD-2025-19381

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-19381

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code