CVE-2025-5915 - Heap-based Buffer Overflow

Severity

39%

Complexity

13%

Confidentiality

41%

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

CVSS 3.1 Base Score 3.9. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L).

CVSS 3.1 Base Score 6.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).

Demo Examples

Heap-based Buffer Overflow

CWE-122

While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:


               
}
strcpy(buf, argv[1]);

The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

Heap-based Buffer Overflow

CWE-122

This example applies an encoding procedure to an input string and stores it into a buffer.


               
}

                     
return dst_buf;
die("user string too long, die evil hacker!");

                           
else dst_buf[dst_index++] = user_supplied_string[i];
dst_buf[dst_index++] = ';';

                                 

                                       /* encode to < */

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.

Overview

Type

Red Hat

First reported 3 months ago

2025-06-09 20:15:00

Last updated 1 month ago

2025-08-15 18:07:00

Affected Software

Red Hat Enterprise Linux (RHEL) 7.0 (7)

7.0

Red Hat Enterprise Linux 6.0

6.0

Red Hat Enterprise Linux 8.0

8.0

Red Hat Openshift Container Platform 4.0

4.0

References

https://access.redhat.com/security/cve/CVE-2025-5915

RHBZ#2370865

https://github.com/libarchive/libarchive/pull/2599

https://github.com/libarchive/libarchive/releases/tag/v3.8.0

https://access.redhat.com/security/cve/CVE-2025-5915

Vendor Advisory

RHBZ#2370865

Issue Tracking

https://github.com/libarchive/libarchive/pull/2599

Patch

https://github.com/libarchive/libarchive/releases/tag/v3.8.0

Release Notes

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.