Updated: 2026-02-27 00:19:57.7179
Description:
An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5.0 |
| CVSS Version 3.x | MEDIUM | 5.3 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| CentOS 6 ELS | glib2 | 2.28.8 | 5.3 | MEDIUM | Released | CLSA-2021:1623075923 | 2022-05-05 12:00:26 | |
| CentOS 7 ELS | glib2 | 2.56.1 | 5.3 | MEDIUM | Ignored | 2023-09-19 09:30:31 | Ignored due to low severity | |
| CentOS 8.4 ELS | glib2 | 2.56.4-10 | 5.3 | MEDIUM | Released | CLSA-2022:1645466687 | 2022-02-21 17:54:42 | |
| CentOS 8.5 ELS | glib2 | 2.56.4-156 | 5.3 | MEDIUM | Not Vulnerable | 2022-02-14 17:48:07 | Not affected: this environment’s glib2 already includes the backported fix for CVE‑2021‑28153.... | |
| CloudLinux 6 ELS | glib2 | 2.28.8 | 5.3 | MEDIUM | Released | 2021-11-02 14:03:16 | ||
| Debian 10 ELS | glib2.0 | 2.58.3 | 5.3 | MEDIUM | Ignored | 2025-10-11 00:22:50 | Ignored due to low severity | |
| Oracle Linux 6 ELS | glib2 | 2.28.8 | 5.3 | MEDIUM | Released | CLSA-2021:1634922588 | 2021-11-02 14:03:16 | |
| Ubuntu 16.04 ELS | glib2.0 | 2.48.2-0 | 5.3 | MEDIUM | Not Vulnerable | 2021-11-02 14:03:16 | CVE-2021-28153 is only reachable when an application explicitly calls GLib’s g_file_replace() with... | |
| Ubuntu 18.04 ELS | glib2.0 | 2.56.4-0 | 5.3 | MEDIUM | Already Fixed | 2023-06-02 09:09:55 |