CVE-2025-32022

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32022
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32022.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32022
Aliases
  • GHSA-fv6v-vw8h-9x79
Downstream
Published
2025-05-06T16:57:30Z
Modified
2025-10-22T18:48:18.171816Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:L CVSS Calculator
Summary
Finit has heap based buffer overwrite in urandom.so plugin
Details

Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the configure script.

Database specific 
{
    "cwe_ids": [
        "CWE-787"
    ]
}
References

Affected packages

Git / github.com/troglobit/finit

Affected ranges

Type
GIT
Repo
https://github.com/troglobit/finit
Events
Introduced
f32e4d4b3013ec3bf7130e5a16a4c63a226a906b
Fixed
6b7478ff4369e263cc00f5857090d06e5a98aff0

Affected versions

4.*

4.10
4.10-rc1
4.10-rc2
4.11
4.11-rc1
4.11-rc2
4.2
4.3
4.3-rc1
4.3-rc2
4.4
4.4-rc1
4.4-rc2
4.5
4.5-rc1
4.5-rc2
4.5-rc3
4.5-rc4
4.5-rc5
4.6
4.7
4.8
4.9
4.9-rc1

Git / github.com/troglobit/finit

Affected ranges

Type
GIT
Repo
https://github.com/finit-project/finit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3feff37ba51fa0a6a0a06f59682a0918aa5b04de

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6-pre

1.*

1.0
1.1
1.10
1.11
1.12
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9

2.*

2.0
2.1
2.2
2.3
2.4

3.*

3.0
3.0-rc1
3.0-rc2
3.1
3.1-rc1
3.1-rc2
3.2-rc1
3.2-rc2
3.2-rc3

4.*

4.0
4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.1
4.1-rc1
4.1-rc2
4.10
4.10-rc1
4.10-rc2
4.11
4.11-rc1
4.11-rc2
4.2
4.3
4.3-rc1
4.3-rc2
4.4
4.4-rc1
4.4-rc2
4.5
4.5-rc1
4.5-rc2
4.5-rc3
4.5-rc4
4.5-rc5
4.6
4.7
4.8
4.9
4.9-rc1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/finit-project/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de",
        "target": {
            "function": "setup",
            "file": "plugins/urandom.c"
        },
        "id": "CVE-2025-32022-628e1263",
        "deprecated": false,
        "digest": {
            "function_hash": "178593697637987276277287118922728256792",
            "length": 1895.0
        },
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/finit-project/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de",
        "target": {
            "file": "plugins/urandom.c"
        },
        "id": "CVE-2025-32022-7578299a",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "60062786998949135848500063710307275671",
                "29873833110006641091182250536174546119",
                "187998132385639940680495033886363906334",
                "273239375245805335434195598012263398413",
                "326232258128890333634883176698067446099",
                "325652760674554428949214935932976424587",
                "152055175974301090877414674553265406366",
                "191209031251022422790197058194559680240",
                "67328687780587298082165206906891338114",
                "334960587684399722999676077204473086694"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    }
]