Detections
Analytics

Linux Distros Unpatched Vulnerability : CVE-2025-68146

medium Nessus Plugin ID 278912

Language:

Synopsis

The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.

Description

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

 - filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check- Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted.
 The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1.
 If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note:
 different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended. (CVE-2025-68146)

Note that Nessus relies on the presence of the package as reported by the vendor.

Solution

There is no known solution at this time.

See Also

https://security-tracker.debian.org/tracker/CVE-2025-68146

https://ubuntu.com/security/CVE-2025-68146

Plugin Details

Severity: Medium

ID: 278912

File Name: unpatched_CVE_2025_68146.nasl

Version: 1.8

Type: Local

Agent: unix

Family: Misc.

Published: 12/16/2025

Updated: 3/17/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: Medium

Base Score: 5.7

Temporal Score: 5.1

Vector: CVSS2#AV:L/AC:H/Au:S/C:P/I:C/A:C

CVSS Score Source: CVE-2025-68146

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:U/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:python-filelock, cpe:/o:canonical:ubuntu_linux:25.04, p-cpe:/a:canonical:ubuntu_linux:python-filelock, cpe:/o:canonical:ubuntu_linux:25.10, cpe:/o:debian:debian_linux:12.0

Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/16/2025

Reference Information

CVE: CVE-2025-68146