VDB
CVE-2025-2849
CVE-2025-2849
PUBLISHED
CVSS 4.800000190734863 MEDIUM
A vulnerability, which was classified as problematic, was found in UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT of the file src/p_lx_elf.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The patch is identified as e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. It is recommended to apply a patch to fix this issue.
EPSS 0.02% · 6.2th percentile
Risk Scores
CVSS v4.0
4.800000190734863
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score
0.02%
6.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | UPX | 5.0 |
| upx | upx | 0 |
Timeline
- Mar 27, 2025 CVE Published
- Mar 27, 2025 CVE Updated
- Mar 28, 2025 EPSS Score
- Mar 29, 2025 Coalition ESS Score
- Apr 10, 2025 EPSS Score
- Apr 23, 2025 EPSS Score
- May 6, 2025 EPSS Score
- May 18, 2025 Coalition ESS Score
- May 19, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
- Jun 14, 2025 EPSS Score
- Jun 27, 2025 EPSS Score
References
- https://github.com/upx/upx/issues/898 issue
- VDB-301494 | UPX p_lx_elf.cpp un_DT_INIT heap-based overflow vdb
- VDB-301494 | CTI Indicators (IOB, IOC, IOA) url
- Submit #522371 | upx 5.0.0 Buffer Overflow third-party-advisory
- https://github.com/upx/upx/issues/898#issuecomment-2734082143 issue
- https://github.com/user-attachments/files/19307868/input.zip exploit
- https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2 patch
- https://nvd.nist.gov/vuln/detail/CVE-2025-2849 advisory