Cyber Posture

CVE-2025-71263

High

Published: 13 March 2026

Published
13 March 2026
Modified
21 March 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71263 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Discuss (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Buffer overflow in local su binary directly enables local privilege escalation to root via crafted input (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely…

more

that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Deeper analysisAI

CVE-2025-71263 is a buffer overflow vulnerability (CWE-120) in the su command of UNIX Fourth Research Edition (v4), stemming from the 'password' variable being allocated a fixed size of 100 bytes. This flaw affects only this legacy UNIX variant, which has no remaining support from its maintainer. The vulnerability received a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) upon publication on 2026-03-13.

A local attacker with no privileges required (PR:N) can exploit this vulnerability through high-complexity attack methods (AC:H), such as crafting input that overflows the fixed-size password buffer in the su command. Successful exploitation allows the attacker to gain root privileges, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

Advisories and discussions in the provided references, including analyses on systems.discuss, sigma-star.at, spinellis.gr, tuhs.org, and openwall.com, emphasize that UNIX v4 is unsupported with no patches or mitigations available from the maintainer. Security practitioners should isolate or decommission any legacy lab environments running this software.

In notable context, the vulnerability is unlikely to exist outside a very small number of lab environments, minimizing real-world risk. No evidence of active exploitation has been reported.

Details

CWE(s)
CWE-120

Affected Products

Discuss
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-47389Shared CWE-120
CVE-2026-31622Shared CWE-120
CVE-2025-48611Shared CWE-120
CVE-2025-0303Shared CWE-120
CVE-2025-25522Shared CWE-120
CVE-2025-49495Shared CWE-120
CVE-2026-1679Shared CWE-120
CVE-2025-47394Shared CWE-120
CVE-2025-47399Shared CWE-120
CVE-2026-21382Shared CWE-120

References