CVE-2025-6297: dpkg-deb: Fix cleanup for control member with restricted directories
It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is
documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on
adversarial .deb packages or with well compressible files, placed
inside a directory with permissions not allowing removal by a non-root
user, this can end up in a DoS scenario due to causing disk quota
exhaustion or disk full conditions.
Security readout for executives and security teams
Plain-English summary
CVE-2025-6297 affects dpkg-deb handling of untrusted Debian packages. A crafted package can cause cleanup to leave temporary files behind, and repeated automated processing can fill disk space or quotas. This is mainly an availability risk for systems that inspect or process untrusted .deb files at scale.
Executive priority
Prioritize remediation for package-processing infrastructure before general endpoints. The business risk is service disruption from disk exhaustion in automated pipelines, not currently evidenced remote code execution or active exploitation.
Technical view
dpkg-deb did not properly sanitize directory permissions when extracting a control member into a temporary directory, despite that operation being documented as safe for untrusted data. Restricted directory permissions can prevent non-root cleanup, leaving files behind and enabling disk quota exhaustion or disk-full denial of service.
Likely exposure
Highest exposure is in Debian-based build, scanning, repository, CI, or malware-analysis workflows that repeatedly run dpkg-deb on untrusted .deb packages. Ordinary endpoints are less exposed unless they automate package inspection from untrusted sources.
Exploitation context
The bundle does not cite active exploitation, and KEV is false. The described abuse requires adversarial .deb packages and repeated automated execution, especially with highly compressible files and cleanup blocked by restrictive directory permissions.
Researcher notes
Affected version data in the bundle is incomplete or ambiguous, listing Debian dpkg with version value "0" and default unaffected. Use Debian LTS and upstream dpkg references for authoritative package mapping and fixed builds.
Mitigation direction
Apply Debian LTS or vendor-provided dpkg security updates.
Track the upstream dpkg fix commit in downstream packages.
Limit or pause automated dpkg-deb processing of untrusted packages until updated.
Run package inspection with disk quotas and isolated temporary storage.
Monitor temporary directories and quotas for unusual accumulation.
Validation and detection
Inventory systems and pipelines that run dpkg-deb on untrusted .deb files.
Confirm installed dpkg packages include the vendor fix.
Review CI, repository, and scanner jobs for repeated untrusted package extraction.
Check temporary storage for leftover files after package inspection failures.
Verify disk quota and cleanup monitoring covers package-processing workers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-732: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-400 · source CWE mapping
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Incorrect Permission Assignment for Critical Resource
Incorrect Permission Assignment for Critical Resource represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.