CVE-2025-32022

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-32022
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-32022.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-32022
Aliases
  • GHSA-fv6v-vw8h-9x79
Downstream
Published
2025-05-06T17:16:12Z
Modified
2025-09-19T15:26:19.698598Z
Summary
[none]
Details

Finit provides fast init for Linux systems. Finit's urandom plugin has a heap buffer overwrite vulnerability at boot which leads to it overwriting other parts of the heap, possibly causing random instabilities and undefined behavior. The urandom plugin is enabled by default, so this bug affects everyone using Finit 4.2 or later that do not explicitly disable the plugin at build time. This bug is fixed in Finit 4.12. Those who cannot upgrade or backport the fix to urandom.c are strongly recommended to disable the plugin in the call to the configure script.

References

Affected packages

Git / github.com/finit-project/finit

Affected ranges

Type
GIT
Repo
https://github.com/finit-project/finit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3feff37ba51fa0a6a0a06f59682a0918aa5b04de

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6-pre

1.*

1.0
1.1
1.10
1.11
1.12
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9

2.*

2.0
2.1
2.2
2.3
2.4

3.*

3.0
3.0-rc1
3.0-rc2
3.1
3.1-rc1
3.1-rc2
3.2-rc1
3.2-rc2
3.2-rc3

4.*

4.0
4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.1
4.1-rc1
4.1-rc2
4.10
4.10-rc1
4.10-rc2
4.11
4.11-rc1
4.11-rc2
4.2
4.3
4.3-rc1
4.3-rc2
4.4
4.4-rc1
4.4-rc2
4.5
4.5-rc1
4.5-rc2
4.5-rc3
4.5-rc4
4.5-rc5
4.6
4.7
4.8
4.9
4.9-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "id": "CVE-2025-32022-628e1263",
            "signature_type": "Function",
            "target": {
                "file": "plugins/urandom.c",
                "function": "setup"
            },
            "digest": {
                "function_hash": "178593697637987276277287118922728256792",
                "length": 1895.0
            },
            "source": "https://github.com/finit-project/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de",
            "signature_version": "v1",
            "deprecated": false
        },
        {
            "id": "CVE-2025-32022-7578299a",
            "signature_type": "Line",
            "target": {
                "file": "plugins/urandom.c"
            },
            "digest": {
                "line_hashes": [
                    "60062786998949135848500063710307275671",
                    "29873833110006641091182250536174546119",
                    "187998132385639940680495033886363906334",
                    "273239375245805335434195598012263398413",
                    "326232258128890333634883176698067446099",
                    "325652760674554428949214935932976424587",
                    "152055175974301090877414674553265406366",
                    "191209031251022422790197058194559680240",
                    "67328687780587298082165206906891338114",
                    "334960587684399722999676077204473086694"
                ],
                "threshold": 0.9
            },
            "source": "https://github.com/finit-project/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de",
            "signature_version": "v1",
            "deprecated": false
        }
    ]
}