UBUNTU-CVE-2025-40909

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-40909
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-40909.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-40909
Upstream
Downstream
Related
Published
2025-05-30T13:15:00Z
Modified
2025-07-30T05:19:59Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

References

Affected packages

Ubuntu:Pro:14.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.18.2-2ubuntu1.7+esm5?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.14.2-21build1
5.18.1-4
5.18.1-4build1
5.18.1-5
5.18.2-2
5.18.2-2ubuntu1
5.18.2-2ubuntu1.1
5.18.2-2ubuntu1.3
5.18.2-2ubuntu1.4
5.18.2-2ubuntu1.6
5.18.2-2ubuntu1.7
5.18.2-2ubuntu1.7+esm3
5.18.2-2ubuntu1.7+esm4
5.18.2-2ubuntu1.7+esm5

Ubuntu:Pro:16.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.22.1-9ubuntu0.9+esm2?arch=source&distro=esm-infra/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.20.2-6
5.22.1-3
5.22.1-4
5.22.1-5
5.22.1-7
5.22.1-8
5.22.1-9
5.22.1-9ubuntu0.2
5.22.1-9ubuntu0.3
5.22.1-9ubuntu0.5
5.22.1-9ubuntu0.6
5.22.1-9ubuntu0.9
5.22.1-9ubuntu0.9+esm1
5.22.1-9ubuntu0.9+esm2

Ubuntu:Pro:18.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.26.1-6ubuntu0.7?arch=source&distro=esm-infra/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.26.0-8ubuntu1
5.26.1-2ubuntu1
5.26.1-3
5.26.1-4
5.26.1-4build1
5.26.1-5
5.26.1-6
5.26.1-6ubuntu0.1
5.26.1-6ubuntu0.2
5.26.1-6ubuntu0.3
5.26.1-6ubuntu0.5
5.26.1-6ubuntu0.6
5.26.1-6ubuntu0.7

Ubuntu:Pro:20.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.30.0-9ubuntu0.5?arch=source&distro=esm-infra/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.28.1-6build1
5.30.0-7
5.30.0-9
5.30.0-9build1
5.30.0-9ubuntu0.2
5.30.0-9ubuntu0.3
5.30.0-9ubuntu0.4
5.30.0-9ubuntu0.5

Ubuntu:22.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.34.0-3ubuntu1.5?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.34.0-3ubuntu1.5

Affected versions

5.*

5.32.1-3ubuntu3
5.34.0-3ubuntu1
5.34.0-3ubuntu1.1
5.34.0-3ubuntu1.2
5.34.0-3ubuntu1.3
5.34.0-3ubuntu1.4

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libperl-dev",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "libperl5.34",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "perl-doc",
            "binary_version": "5.34.0-3ubuntu1.5"
        },
        {
            "binary_name": "perl-modules-5.34",
            "binary_version": "5.34.0-3ubuntu1.5"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:24.04:LTS / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.38.2-3.2ubuntu0.2?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.38.2-3.2ubuntu0.2

Affected versions

5.*

5.36.0-9ubuntu1
5.36.0-10ubuntu1
5.38.2-3
5.38.2-3.2
5.38.2-3.2build1
5.38.2-3.2build2
5.38.2-3.2build2.1
5.38.2-3.2ubuntu0.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libperl-dev",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "libperl5.38t64",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "perl-doc",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        },
        {
            "binary_name": "perl-modules-5.38",
            "binary_version": "5.38.2-3.2ubuntu0.2"
        }
    ],
    "availability": "No subscription required"
}

Ubuntu:25.04 / perl

Package

Name
perl
Purl
pkg:deb/ubuntu/perl@5.40.1-2ubuntu0.2?arch=source&distro=plucky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.40.1-2ubuntu0.2

Affected versions

5.*

5.38.2-5
5.40.0-6
5.40.0-7
5.40.0-8
5.40.1-2
5.40.1-2ubuntu0.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "libperl-dev",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "libperl5.40",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "perl",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "perl-base",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "perl-debug",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "perl-doc",
            "binary_version": "5.40.1-2ubuntu0.2"
        },
        {
            "binary_name": "perl-modules-5.40",
            "binary_version": "5.40.1-2ubuntu0.2"
        }
    ],
    "availability": "No subscription required"
}