CVE-2020-25031

checkinstall: The "chmod 777" Vulnerability You Didn't Ask For

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 15, 2026·5 min read·1 visit

Executive Summary (TL;DR)

checkinstall 1.6.2 reads the permissions of a symlink (which technically appear as 777) and attempts to apply them to the file. Since `chmod` follows symlinks by default, it inadvertently sets the *target* binary to be world-writable. This allows any local user to overwrite root-owned executables packaged by the tool.

checkinstall 1.6.2, a tool beloved by sysadmins for creating quick-and-dirty packages, contains a critical flaw in how it handles symbolic links. By misinterpreting the nominal permissions of a symlink, it accidentally makes the target executable world-writable (0777). This turns a standard installation process into a Local Privilege Escalation (LPE) generator.

Technical Appendix

CVSS Score
7.8/ 10
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

Linux systems using checkinstall 1.6.2 for package managementDebian-based distributions (Ubuntu, Kali, etc.)RPM-based distributions using the tool

Affected Versions Detail

Product
Affected Versions
Fixed Version
checkinstall
Canonical
= 1.6.2None
AttributeDetail
CVE IDCVE-2020-25031
CVSS v3.17.8 (High)
CWECWE-732 (Incorrect Permission Assignment)
Attack VectorLocal (User-assisted)
ImpactPrivilege Escalation (LPE)
Affected Componentinstallwatch / checkinstall

MITRE ATT&CK Mapping

T1574Hijack Execution Flow
Persistence
T1222File and Directory Permissions Modification
Defense Evasion
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-732
Incorrect Permission Assignment for Critical Resource

Vulnerability Timeline

Vulnerability reported to Ubuntu by Gianni Tedesco
2020-01-29
Debian acknowledges bug, notes upstream is dead
2020-02-05
CVE-2020-25031 Published
2020-08-31

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.