PatchSiren cyber security CVE debrief

CVE-2016-10151 Hesiod Project CVE debrief

CVE-2016-10151 describes a local privilege escalation issue in Hesiod 3.2.1. The vulnerable logic in hesiod_init can choose configuration from environment variables when EUID and UID comparisons indicate a privileged context, allowing a local user to influence behavior through HESIOD_CONFIG or HES_DOMAIN when a SUID/SGUID binary uses the library.

Vendor: Hesiod Project
Product: CVE-2016-10151
CVSS: HIGH 7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-01
Original CVE updated: 2026-05-13
Advisory published: 2017-03-01
Advisory updated: 2026-05-13

Who should care

Administrators and maintainers of systems that ship Hesiod 3.2.1, especially where setuid/setgid programs link against the library or otherwise rely on its initialization path. Security teams should also care if they inventory Linux distributions or embedded systems that may include this version.

Technical summary

NVD lists Hesiod 3.2.1 as affected and assigns CVSS 3.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H with CWE-264. The issue is that hesiod_init in lib/hesiod.c can use attacker-controlled environment variables (HESIOD_CONFIG or HES_DOMAIN) based on an EUID-versus-UID check, which is unsafe when the library is reached from privileged binaries. The result is a local attack path that can affect confidentiality, integrity, and availability if a vulnerable privileged consumer is present.

Defensive priority

High for any host that has Hesiod 3.2.1 installed and exposes it to privileged binaries; otherwise medium. The issue is local and requires an existing user context, but the impact is severe in the affected execution path.

Recommended defensive actions

Identify whether Hesiod 3.2.1 is installed anywhere in your fleet and whether any setuid/setgid binaries use it.
Apply the upstream fix or vendor backport referenced in the oss-security disclosure and associated pull request.
Review packaging and hardening of privileged binaries to ensure they do not honor untrusted environment configuration in library initialization paths.
Use distribution advisories and issue trackers to confirm whether your vendor has already backported a correction.
Prioritize remediation on multi-user systems and any environments where local shell access is available.

Evidence notes

The supplied corpus ties this CVE to Hesiod 3.2.1 and cites the vulnerable comparison in hesiod_init. NVD classifies the issue as CVSS 3.0 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H and CWE-264. References include the oss-security disclosure, a Red Hat bug tracker entry, the upstream GitHub pull request, and a Gentoo advisory, which together support the existence of a patch and downstream tracking.

Official resources

CVE-2016-10151 CVE record
CVE.org
CVE-2016-10151 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory
Source reference
[email protected]

Publicly disclosed in the supplied corpus on 2017-03-01, with references pointing to an oss-security post dated 2017-01-21 and subsequent vendor/advisory tracking. Use the CVE published date as the disclosure anchor.