AZL-64641

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64641.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-64641

Upstream

CVE-2025-6297

Published

2025-07-01T17:15:30Z

Modified

2026-04-21T04:32:30.047131Z

Summary

CVE-2025-6297 affecting package dpkg 1.20.10-1

Details

It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-6297

Affected packages

Azure Linux:2 / dpkg

Package

Name: dpkg
Purl: pkg:rpm/azure-linux/dpkg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.20.10-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64641.json"