Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local shell required (AV:L) with any unprivileged user account (PR:L), no user interaction, straightforward stack overflow (AC:L) yielding full root (C:H/I:H/A:H).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments.
AnalysisAI
Local privilege escalation in UNIX Fourth Research Edition (v4) su command allows any local user to gain root via a fixed 100-byte buffer overflow in the 'password' variable. EPSS is negligible (0.01%) and no public exploit identified at time of analysis; practical relevance is minimal since UNIX v4 survives only in a handful of historical lab and museum environments. Of historical and academic interest rather than operational risk.
Technical ContextAI
UNIX Fourth Edition is the 1973 Bell Labs research release of UNIX, the first version rewritten in C. The su utility reads a user-supplied password into a stack-allocated character array of fixed size (100 bytes) without bounds checking, the textbook CWE-120 classic buffer copy without checking size of input. Because su is a setuid-root program, overflowing the stack buffer lets an unprivileged local user overwrite saved return addresses or adjacent data and redirect execution while retaining the root euid. The CPE (cpe:2.3:a:at&t_bell_labs:unix:*) and 'Buffer Overflow' tag confirm the issue is scoped to the original AT&T Bell Labs UNIX v4 source tree, not modern Unix-like systems.
RemediationAI
No vendor-released patch identified at time of analysis - AT&T Bell Labs UNIX v4 has been unsupported for roughly five decades, so the only durable fix is to retire the system or migrate to a maintained Unix-like OS. Operators of historical/lab installations (e.g., TUHS-restored PDP-11 environments) can mitigate by removing the setuid bit from /bin/su (trade-off: legitimate users can no longer switch to root and must log in directly on the console), restricting shell access to trusted accounts only, or rebuilding su from source with a bounded input routine that caps password reads at the 100-byte buffer length. See the sigma-star write-up at https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/ and the oss-security threads at http://www.openwall.com/lists/oss-security/2026/03/20/6 and http://www.openwall.com/lists/oss-security/2026/03/21/4 for technical detail and discussion.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208655