CVE-2025-0374 is a security vulnerability identified in FreeBSD’s etcupdate utility. When etcupdate encounters conflicts during file merging, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This temporary file does not preserve the original file’s permissions and is world-readable, potentially exposing sensitive information. Files that typically have restricted access, such as /etc/master.passwd, could be affected. An unprivileged local user might read encrypted root and user passwords from the temporary master.passwd file created in /var/db/etcupdate/conflicts. This exposure occurs only when conflicts within the password file arise during an update, and the unprotected file is deleted once conflicts are resolved.
Affected versions of FreeBSD include:
- 14.2-RELEASE before p1
- 14.1-RELEASE before p7
- 13.4-RELEASE before p3
Patches have been released to mitigate the vulnerability, and users are advised to update their systems promptly to avoid exploitation.
See more details on: