Vulnerability Note VU#686403 fails to unset LD_PRELOAD before executing suid root programs

Original Release date: 17 May 2001 | Last revised: 21 Jun 2001

Overview fails to unset LD_PRELOAD before executing suid root programs, allowing loading of insecure or malicious libraries.

Description, the UNIX/LINUX dynamic loader, fails in some conditions (and some operating system releases) to unset LD_PRELOAD before loading suid root programs for execution. Even though setuid root programs ignore LD_PRELOAD, programs called from suid root programs would use LD_PRELOAD and be loaded with insecure or malicious libraries and executed as root.


By altering LD_PRELOAD, attackers could cause malicious libraries to be loaded by programs called from setuid root programs, which then could execute arbitrary code as root.


Apply vendor patches; see the Systems Affected section below.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
CalderaAffected30 Aug 200015 May 2001
FreeBSDAffected08 Sep 200015 May 2001
MandrakeSoftAffected30 Aug 200015 May 2001
TurboLinuxAffected19 Feb 200115 May 2001
AppleNot Affected08 Sep 200015 May 2001
Compaq Computer CorporationNot Affected08 Sep 200015 May 2001
FujitsuNot Affected08 Sep 200015 May 2001
Hewlett PackardNot Affected08 Sep 200015 May 2001
MicrosoftNot Affected08 Sep 200015 May 2001
OpenBSDNot Affected08 Sep 200015 May 2001
SCONot Affected08 Sep 200015 May 2001
BSDIUnknown08 Sep 200015 May 2001
Data GeneralUnknown08 Sep 200015 May 2001
IBMUnknown08 Sep 200015 May 2001
NCRUnknown08 Sep 200015 May 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



The original public announcement was by Solar Designer .

This document was last modified by Tim Shimeall

Other Information

  • CVE IDs: CVE-2000-0824
  • Date Public: 31 Aug 2000
  • Date First Published: 17 May 2001
  • Date Last Updated: 21 Jun 2001
  • Severity Metric: 6.73
  • Document Revision: 6


If you have feedback, comments, or additional information about this vulnerability, please send us email.