PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71263 AT&T Bell Labs CVE debrief

A buffer overflow vulnerability exists in the `su` command of UNIX Fourth Research Edition (v4), where the `password` variable is allocated a fixed 100-byte buffer. A local attacker can exploit this to achieve root privilege escalation. The vulnerability is confined to an unsupported, historical operating system version with negligible modern deployment.

Vendor
AT&T Bell Labs
Product
UNIX
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-13
Original CVE updated
2026-06-11
Advisory published
2026-03-13
Advisory updated
2026-06-11

Who should care

Organizations maintaining historical computing collections, museums, or academic lab environments running UNIX v4 for research or preservation purposes. No action is required for modern production infrastructure.

Technical summary

In UNIX Fourth Research Edition (v4), the `su` command uses a fixed 100-byte stack buffer for the `password` variable. Supplying input exceeding this length causes a buffer overflow that can overwrite adjacent memory, including return addresses. Successful exploitation yields arbitrary code execution with root privileges. The attack requires local access (AV:L) and is rated HIGH severity (CVSS 3.1: 7.4) despite high attack complexity (AC:H) because confidentiality, integrity, and availability impacts are all high. The vulnerability does not affect any supported product versions; UNIX v4 is an obsolete research release with effectively no production footprint.

Defensive priority

low

Recommended defensive actions

  • Inventory systems to confirm no UNIX Fourth Research Edition (v4) instances remain in production or accessible environments.
  • If UNIX v4 systems exist for historical or research purposes, isolate them from production networks and restrict interactive local access to authorized personnel only.
  • Apply source-code mitigation if maintaining a custom build: replace the fixed-size `password` buffer with dynamic allocation or bounded input handling, and compile with modern stack-protection flags where toolchain支持s.
  • Monitor for anomalous local privilege-escalation attempts on any legacy UNIX systems that cannot be decommissioned.

Evidence notes

The vulnerability was assigned CVE-2025-71263 and published on 2026-03-13. The NVD record lists the affected product as `cpe:2.3:o:opengroup:unix:4:*:*:*:*:*:*:*` with CVSS 3.1 vector `CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`, yielding a base score of 7.4 (HIGH). The weakness is classified as CWE-120 (buffer copy without checking size of input). Multiple independent references confirm technical details and discussion: a technical description by Spinellis, press coverage by sigma-star, and mailing-list threads on TUHS and oss-security. The CVE description explicitly notes that affected products are no longer supported by the maintainer and that operational instances are likely limited to a very small number of lab environments.

Official resources

public