CVE-2025-46802

Public on 2025-05-13
Modified on 2025-06-02
Description

TTY Hijacking while Attaching to a Multiuser Session in the screen package

Has potential to break some reattach use cases, but the specific use case was broken already before.
screen in Debian not installed setuid or setgid
DEBIANBUG: [1105191]

Info: https://www.openwall.com/lists/oss-security/2025/05/12/1
Patch: https://git.savannah.gnu.org/cgit/screen.git/commit/?id=049b26b22e197ba3be9c46e5c193032e01a4724a

Severity
Medium
See what this means
CVSS v3 Base Score
6.0
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core screen 2025-06-12 ALAS2-2025-2878
Amazon Linux 2023 screen 2025-06-10 ALAS2023-2025-1006

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
NVD CVSSv3 6.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-46802 Mitre: CVE-2025-46802