VDB
CVE-2025-47436
CVE-2025-47436
PUBLISHED
CVSS 6 MEDIUM
Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.
EPSS 0.29% · 52.7th percentile
Risk Scores
CVSS v4.0
6
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/RE:M/U:Amber
EPSS Score
0.29%
52.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache ORC | 0, 1.9.0, 2.0.0 |
| apache | orc | 0, 1.9.0, 2.0.0 |
Timeline
- May 13, 2025 PoC Published
- May 13, 2025 PoC Published
- May 13, 2025 PoC Published
- May 14, 2025 CVE Published
- May 14, 2025 PoC Published
- May 14, 2025 PoC Published
- May 14, 2025 CVE Updated
- May 15, 2025 EPSS Score
- May 26, 2025 EPSS Score
- Jun 6, 2025 Coalition ESS Score
- Jun 7, 2025 EPSS Score
- Jun 18, 2025 EPSS Score
References
- https://orc.apache.org/security/CVE-2025-47436/ vendor-advisory
- https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn mailing-list
- http://www.openwall.com/lists/oss-security/2025/05/13/4 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-47436 advisory
- https://orc.apache.org/security/CVE-2025-47436 url