CVE-2025-46802 Overview
CVE-2025-46802 is a race condition vulnerability in GNU Screen where the pseudo-terminal (PTY) is temporarily set to mode 666 (world-readable and world-writable permissions) during session initialization. This insecure permission window allows any local user on the system to connect to the screen session, potentially leading to unauthorized access to terminal sessions and sensitive information.
Critical Impact
Local attackers can exploit the brief window of insecure PTY permissions to hijack or eavesdrop on screen sessions belonging to other users on the system.
Affected Products
- GNU Screen (specific affected versions not yet confirmed)
- Linux distributions using affected GNU Screen versions
- SUSE Linux products (as indicated by vendor bug report)
Discovery Timeline
- 2025-05-12 - Vulnerability disclosed via Openwall OSS Security mailing list
- 2025-05-26 - CVE-2025-46802 published to NVD
- 2025-05-28 - Last updated in NVD database
Technical Details for CVE-2025-46802
Vulnerability Analysis
This vulnerability falls under CWE-732 (Incorrect Permission Assignment for Critical Resource). The root cause is a Time-of-Check Time-of-Use (TOCTOU) race condition in how GNU Screen initializes pseudo-terminal devices.
When a new screen session is created, the PTY device file is briefly set to mode 666, which grants read and write permissions to all users on the system. While this permissive state is intended to be temporary before proper permissions are applied, the window of opportunity creates a race condition that attackers can exploit.
The local attack vector requires the attacker to have an existing account on the target system. The vulnerability requires precise timing and some user interaction to exploit successfully, which moderates the overall risk. However, successful exploitation could result in high confidentiality and integrity impact as attackers gain access to terminal session content and can potentially inject commands.
Root Cause
The vulnerability stems from improper permission assignment during PTY allocation in GNU Screen. The application temporarily sets overly permissive file permissions (mode 666) on the pseudo-terminal device before restricting them to appropriate levels. This creates a window during which any local user can access the PTY device file.
Attack Vector
The attack requires local access to the target system. An attacker must monitor for new screen session creation and quickly connect to the PTY device while it still has world-accessible permissions. The attack flow typically involves:
- The attacker monitors the /dev/pts/ directory for new PTY devices being created
- When a victim user starts a new screen session, the PTY is briefly created with mode 666
- The attacker races to open the PTY device before permissions are restricted
- If successful, the attacker can read session output or inject input into the victim's terminal
This is a classic TOCTOU race condition where the time between permission assignment and permission correction creates an exploitable window. Technical details are available in the Openwall OSS Security advisory.
Detection Methods for CVE-2025-46802
Indicators of Compromise
- Unexpected connections to screen sessions from unauthorized users
- Anomalous file access patterns in /dev/pts/ directory by non-owning users
- Log entries showing multiple users accessing the same PTY device
- Unusual process activity monitoring PTY device creation
Detection Strategies
- Monitor for processes repeatedly scanning /dev/pts/ for new device files
- Implement audit logging on PTY device file access using auditd
- Alert on screen sessions with unexpected attached users or unusual connection patterns
- Deploy file integrity monitoring on critical terminal device directories
Monitoring Recommendations
- Configure auditd rules to log access attempts to PTY devices by non-owning users
- Implement real-time monitoring of screen session attachment events
- Review system logs for patterns indicating race condition exploitation attempts
- Monitor for scripts or tools designed to exploit PTY permission races
How to Mitigate CVE-2025-46802
Immediate Actions Required
- Review and update GNU Screen to the latest available version from your distribution
- Restrict local system access to trusted users only
- Consider using alternative terminal multiplexers (tmux) as a temporary measure
- Monitor the SUSE bug report for patch availability
Patch Information
Patch information is currently being tracked by vendors. Administrators should monitor the following resources for updates:
- SUSE Bug Report for CVE-2025-46802
- Openwall OSS Security Discussion
- Distribution-specific security advisories
Workarounds
- Limit local shell access to only essential users who require it
- Consider implementing mandatory access controls (SELinux/AppArmor) to restrict PTY access patterns
- Use tmux as an alternative terminal multiplexer until patches are available
- Implement additional monitoring and alerting for screen session access anomalies
# Example auditd rule to monitor PTY device access
# Add to /etc/audit/rules.d/screen-pty.rules
-w /dev/pts/ -p rwa -k pty_access
-a always,exit -F arch=b64 -S openat -F dir=/dev/pts/ -F success=1 -k pty_open
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
