Main Vulnerability Database SB2025080505

SB2025080505 - Heap-based Buffer Overflow in Apache ORC

Published: August 5, 2025

Security Bulletin ID SB2025080505

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Heap-based buffer overflow (CVE-ID: CVE-2025-47436)

The vulnerability allows a local privileged user to cause memory corruption.

The vulnerability exists due to a boundary error in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. A local privileged user can pass specially crafted data to the application, trigger a heap-based buffer overflow and cause memory corruption.

Remediation

Install update from vendor's website.

References

http://www.openwall.com/lists/oss-security/2025/05/13/4
https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn
https://orc.apache.org/security/CVE-2025-47436/