CVE-2025-46805
📋 TL;DR
A Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Screen versions 5.0.0 and older 4.x releases allows local attackers to send SIGHUP and SIGCONT signals to privileged processes when Screen is installed setuid-root. This affects systems where Screen is installed with setuid permissions, typically Linux/Unix systems.
💻 Affected Systems
- GNU Screen
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could terminate or manipulate privileged processes, potentially causing service disruption or gaining unauthorized access to sensitive operations.
Likely Case
Local privilege escalation allowing attackers to interfere with system processes, potentially leading to denial of service or limited privilege escalation.
If Mitigated
Minimal impact if Screen is not installed setuid-root or proper access controls prevent local attackers from executing Screen.
🎯 Exploit Status
Exploitation requires local access and precise timing to win the race condition. No public exploit code has been disclosed as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Screen 5.0.1 or later
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46805
Restart Required: No
Instructions:
1. Check current Screen version with 'screen --version'. 2. Update Screen using your distribution's package manager (apt, yum, dnf, etc.). 3. Verify installation with 'screen --version' to confirm version 5.0.1 or higher.
🔧 Temporary Workarounds
Remove setuid permissions
linuxRemove setuid-root permissions from Screen binary to prevent privilege escalation
sudo chmod u-s $(which screen)
Install without setuid
linuxReinstall Screen without setuid permissions if rebuilding from source
./configure --disable-setuid
make
sudo make install
🧯 If You Can't Patch
- Remove setuid permissions from Screen binary using 'chmod u-s'
- Restrict local user access to systems with vulnerable Screen installations
🔍 How to Verify
Check if Vulnerable:
Check if Screen has setuid permissions: 'ls -la $(which screen) | grep "^...s"' and check version: 'screen --version | head -1'Check Version:
screen --version | head -1Verify Fix Applied:
Verify Screen version is 5.0.1 or higher: 'screen --version | grep -E "5\.[0-9]+\.[1-9]|5\.[1-9]"' and confirm setuid is removed if using workaround📡 Detection & Monitoring
Log Indicators:
- Unusual Screen process activity from non-privileged users
- Failed privilege escalation attempts in system logs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process.name:"screen" AND user.name NOT IN ("root", "admin") AND process.args:"-S"