CVE-2025-1390

Vulnerability

Description

The PAM module pam_cap.so in libcap contains a configuration parsing flaw. The module is designed to recognize group names prefixed with "@" in /etc/security/capability.conf. However, due to incorrect parsing logic, entries that do not start with "@" are also treated as group names. This misclassification can cause users who were not intended to receive inherited capabilities to be granted them [1].

Exploitation

An attacker can exploit this vulnerability by crafting a specific username that matches a non-@-prefixed entry in the configuration file. No authentication is required beyond local access to the system. The attack surface is limited to systems that use /etc/security/capability.conf to configure user inherited privileges, which is common in environments leveraging Linux capabilities for fine-grained privilege management [1].

Impact

Successful exploitation allows a local attacker to gain inherited capabilities that were not intended for their user account. This can lead to local privilege escalation, potentially enabling the attacker to perform actions restricted to higher-privileged users or processes, such as bypassing security controls or accessing sensitive resources [1].

Mitigation

The bug has been fixed in the upstream libcap repository (commit 1ad42b66c3567481cc5fa22fc1ba1556a316d878). Distributions such as Anolis OS 8, 23, and 23.2 have released patches via their respective pull requests. Users should update their libcap packages to the latest version to mitigate the risk [1].