{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2025-71263", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-13T18:38:07.187Z", "datePublished": "2026-03-13T18:38:07.721Z", "dateUpdated": "2026-03-21T22:00:54.839Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "UNIX", "vendor": "AT&T Bell Labs", "versions": [{"status": "affected", "version": "4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-21T22:00:54.839Z"}, "references": [{"url": "https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/"}, {"url": "https://www.tuhs.org/pipermail/tuhs/2026-January/032991.html"}, {"url": "https://discuss.systems/@ricci/115747843169814700"}, {"url": "https://www.spinellis.gr/blog/20251223/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "tags": ["unsupported-when-assigned"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:36:07.731823Z", "id": "CVE-2025-71263", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:36:17.585Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/20/6"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/21/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-21T19:07:38.428Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/20/6"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/21/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-21T19:07:38.428Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-71263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T19:36:07.731823Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:36:14.094Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AT&T Bell Labs", "product": "UNIX", "versions": [{"status": "affected", "version": "4", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/"}, {"url": "https://www.tuhs.org/pipermail/tuhs/2026-January/032991.html"}, {"url": "https://discuss.systems/@ricci/115747843169814700"}, {"url": "https://www.spinellis.gr/blog/20251223/"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-21T22:00:54.839Z"}}}, "cveMetadata": {"cveId": "CVE-2025-71263", "state": "PUBLISHED", "dateUpdated": "2026-03-21T22:00:54.839Z", "dateReserved": "2026-03-13T18:38:07.187Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-13T18:38:07.721Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "En UNIX Cuarta Edici\u00f3n de Investigaci\u00f3n (v4), el comando su es vulnerable a un desbordamiento de b\u00fafer debido a que la variable 'password' tiene un tama\u00f1o fijo de 100 bytes. Un usuario local puede explotar esto para obtener privilegios de root. Es poco probable que UNIX v4 se est\u00e9 ejecutando en alg\u00fan lugar fuera de un n\u00famero muy reducido de entornos de laboratorio."}], "id": "CVE-2025-71263", "lastModified": "2026-03-21T22:16:18.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-13T19:53:53.983", "references": [{"source": "cve@mitre.org", "url": "https://discuss.systems/@ricci/115747843169814700"}, {"source": "cve@mitre.org", "url": "https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/"}, {"source": "cve@mitre.org", "url": "https://www.spinellis.gr/blog/20251223/"}, {"source": "cve@mitre.org", "url": "https://www.tuhs.org/pipermail/tuhs/2026-January/032991.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/20/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/21/4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UNIX", "source": "cna", "vendor": "AT&T Bell Labs"}, "product": "unix", "vendor": "at&t_bell_labs"}], "analysis": {"en": {"generated_at": "2026-03-22T00:21:37.345100+00:00", "value": {"mitigation_remediation": ["Identify all systems running AT&T Bell Labs UNIX Fourth Research Edition and isolate them from network and local connections where feasible", "If su is not required for operations, disable or remove it from the system", "Migrate remaining installations to a supported, modern operating system to eliminate the vulnerability"], "summary": {"action": "Isolate", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected vendor is AT&T Bell Labs, specifically the UNIX operating system in its Fourth Research Edition. The CVE description explicitly identifies this version as v4 and notes that it is no longer maintained or supported.", "description_and_impact": "The vulnerability is a stack-based buffer overflow triggered by the su command in the UNIX operating system. A password input longer than the 100\u2011byte limit overruns the stack, allowing an attacker to overwrite return addresses and execute arbitrary code with the privileges of the su command. The result is that a local user can gain root authority on the affected system.", "risk_and_exploitability": "The CVSS score of 7.4 denotes high severity, while an EPSS score of less than 1% indicates that exploitation is unlikely in the wild. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a local user running the su command on a machine still operating UNIX v4. Because no patch exists, the primary risk mitigation is to restrict local access or migrate away from the obsolete platform."}}}}, "created": "2026-03-16T09:24:34.746028+00:00", "title": "Buffer Overflow in UNIX su Command Enables Local Privilege Escalation", "updated": "2026-03-23T13:40:25.398396+00:00", "vendors": ["at&t_bell_labs", "at&t_bell_labs$PRODUCT$unix"]}