CVE-2025-14242 - Vulnerability Details

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Eus Long Life Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
vsftpd-0:3.0.5-10.el10_1.1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:0606	2026-01-14T00:00:00Z
Red Hat Enterprise Linux 8
vsftpd-0:3.0.3-36.el8_10.3	cpe:/a:redhat:enterprise_linux:8	RHSA-2026:0608	2026-01-14T00:00:00Z
Red Hat Enterprise Linux 9
vsftpd-0:3.0.5-6.el9_7.2	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:0605	2026-01-14T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2026:0605
https://access.redhat.com/errata/RHSA-2026:0606
https://access.redhat.com/errata/RHSA-2026:0608
https://access.redhat.com/errata/RHSA-2026:4470
https://access.redhat.com/errata/RHSA-2026:4477
https://access.redhat.com/errata/RHSA-2026:4513
https://access.redhat.com/errata/RHSA-2026:4522
https://access.redhat.com/errata/RHSA-2026:4525
https://access.redhat.com/errata/RHSA-2026:4543
https://access.redhat.com/errata/RHSA-2026:4550
https://access.redhat.com/security/cve/CVE-2025-14242
https://bugzilla.redhat.com/show_bug.cgi?id=2419826
https://nvd.nist.gov/vuln/detail/CVE-2025-14242
https://www.cve.org/CVERecord?id=CVE-2025-14242

History

Fri, 13 Mar 2026 01:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
References		https://access.redhat.com/errata/RHSA-2026:4543

Thu, 12 Mar 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
Vendors & Products		Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2026:4550

Thu, 12 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_eus:9.6::appstream
Vendors & Products		Redhat rhel E4s Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2026:4470 https://access.redhat.com/errata/RHSA-2026:4513 https://access.redhat.com/errata/RHSA-2026:4522 https://access.redhat.com/errata/RHSA-2026:4525

Thu, 12 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Eus Long Life
CPEs		cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2026:4477

Thu, 15 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
References		https://nvd.nist.gov/vuln/detail/CVE-2025-14242 https://www.cve.org/CVERecord?id=CVE-2025-14242
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 14 Jan 2026 22:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~	cpe:/o:redhat:enterprise_linux:10.1
References		https://access.redhat.com/errata/RHSA-2026:0606

Wed, 14 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:9~~	cpe:/a:redhat:enterprise_linux:9::appstream
References		https://access.redhat.com/errata/RHSA-2026:0605
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 14 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.
Title		Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-190
CPEs		cpe:/a:redhat:enterprise_linux:8::appstream cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/errata/RHSA-2026:0608 https://access.redhat.com/security/cve/CVE-2025-14242 https://bugzilla.redhat.com/show_bug.cgi?id=2419826
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-01-14T15:23:03.708Z

Updated: 2026-03-13T00:37:45.925Z

Reserved: 2025-12-08T03:42:06.011Z

Link: CVE-2025-14242

Vulnrichment

Updated: 2026-01-14T15:31:29.842Z

NVD

Status : Awaiting Analysis

Published: 2026-01-14T16:15:55.967

Modified: 2026-03-12T19:16:14.450

Link: CVE-2025-14242

Redhat

Severity : Moderate

Publid Date: 2026-01-14T00:00:00Z

Links: CVE-2025-14242 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object