CVE-2025-47436

CRITICAL

9.8

Descripcion

Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado5/14/2025

Ultima modificacion7/14/2025

Fuentenvd

Avistamientos honeypot0

Productos afectados

apache:orc

Debilidades (CWE)

CWE-122

Referencias

https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn(security@apache.org)

https://orc.apache.org/security/CVE-2025-47436/(security@apache.org)

http://www.openwall.com/lists/oss-security/2025/05/13/4(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.