High severity8.6OSV Advisory· Published Apr 29, 2025· Updated Apr 15, 2026

CVE-2025-29906

Description

Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the tty configuration directive that can bypass /bin/login, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11.

Affected products

Troglobit/FinitOSV
Range: 3.0, 3.0-rc1, 3.0-rc2, …

Patches

6528628b5c77

https://github.com/finit-project/finitvia osv

185a72bd14d0

https://github.com/troglobit/finitvia osv

6528628b5c77

https://github.com/troglobit/finitvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/troglobit/finit/commit/6528628b5c771c25ffa0cb1a46c6c89d9d0d69e0nvd
github.com/troglobit/finit/security/advisories/GHSA-563g-p98j-mc9qnvd

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000