A few days ago, it was announced information about a security audit which revealed five critical vulnerabilities in the popular terminal multiplexer GNU Screen, used to manage multiple console sessions on a single terminal.
One of which (CVE-2025-23395, the most dangerous vulnerability) allows an attacker to gain root privileges on affected systems (the vulnerability only affects version 5.0.0 of GNU Screen), included in distributions such as Fedora, Arch Linux, NetBSD, and others. However, others such as Debian, Ubuntu, and RHEL still use the 4.x branch, which is not vulnerable to this particular flaw.
CVE-2025-23395: Critical Privilege Escalation
It is mentioned that the problem occurs when GNU Screen is run with the setuid root bit (case of Arch and NetBSD), sinceand the logfile_reopen() function is executed before lowering privileges, which allows the user to manipulate the registry to write arbitrary files as root. In a typical exploit,The attacker deletes the original log file and replaces it with a symbolic link. to a system file. When the file is reopened, Screen writes to it with root permissions, allowing the malicious content to be released.
This issue affects Screen 5.0.0 when run with setuid-root privileges. The logfile_reopen() function does not drop privileges when operating on a user-supplied path. This allows unprivileged users to create files in arbitrary locations with root ownership, ownership by the invoking user's (real) group, and file mode 0644. All data written to the Screen PTY will be logged to this file. Existing files can also be used for logging in this manner: the data will be appended to the file in question, but the file mode and ownership will remain unchanged.
This attack can lead to total control of the system if exploited properly, Since it allows users to modify sensitive files or alter startup scripts, Fedora is partially protected because Screen is installed with the setgid bit, limiting the attack surface.
Other relevant vulnerabilities
The audit, conducted by the SUSE Linux security team, also identified other important failures:
- CVE-2025-46802: In multi-user sessions, an attacker can gain global read and write permissions on TTY devices such as /dev/pts/1, affecting both the 4.x and 5.x branches.
- CVE-2025-46803: The 5.0 branch sets insecure permissions (0622) on PTY devices, allowing writing by any user.
- CVE-2025-46804: An information leak allows the existence of files or directories to be deduced using error messages when defining the SCREENDIR variable.
- CVE-2025-46805: A race condition when sending SIGCONT and SIGHUP signals may result in a denial of service.
A misuse of strncpy was also detected, which can cause crashes when executing commands with special formatting, an issue exclusive to the 5.0 branch.
Lack of maintenance and support from SUSE
The discovery of these vulnerabilities has exposed deeper problems in the maintenance of GNU Screen. According to the SUSE team, The current project maintainers do not fully understand the code base Nor did they address the security issues, which forced them to develop patches for some of the discovered flaws on their own. The report was sent to developers on February 7, but it wasn't possible to correct the entire set of vulnerabilities within the agreed-upon 90-day grace period.
What to do if you use GNU Screen?
Users of systems that include Screen 5.0.0 with setuid root should immediately update to version 5.0.1 or Temporarily revert to a 4.x version if no packages are available. As a mitigation measure, you can also remove the setuid bit from the Screen executable:
sudo chmod u-s /usr/bin/screen
However, This may affect functionality such as session sharing between users. Finally, it's worth mentioning that the recently released version 5.0.1 fixes this and other bugs and is now available on distributions such as Arch Linux and FreeBSD.
If you are interested in knowing more about it, you can check the details in the following link