CVE-2025-49809
Publication date 4 July 2025
Last updated 11 July 2025
Ubuntu priority
Description
mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries.
Read the notes from the security team
Why is this CVE low priority?
Requires bad sudo configuration
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mtr | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
mdeslaur
This issue only affects deployments where an unprivileged user can only run mtr though a specialized sudo configuration. While this is a common scenario on macOS, it is unlikely to be a common scenario on Ubuntu. The patch allows creating a file called /etc/mtr.is.run.under.sudo to disable the MTR_PACKET environment variable from being used, so the patch alone will not fix existing sudo configurations. In addition, the default Ubuntu sudoers file already resets the environment with the env_reset option, so this is unlikely to be an issue in practice. Marking priority as low.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |