CVE-2025-47436 MEDIUM

CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression

Vendor Apache Software Foundation

Product Apache ORC

Weakness CWE-122

Published May 14, 2025

Last update May 14, 2025

View on NVD All CVEs

CVSS base score

6.0/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/RE:M/U:Amber

What the vulnerability does

Description

Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

Key dates

Disclosure timeline

May 14, 2025 CVE published

May 14, 2025 Record updated

Identifiers

CVE CVE-2025-47436

CWE CWE-122

CVSS 6.0 / MEDIUM

Affected versions

Vendor Apache Software Foundation

Product Apache ORC

Affected ≤ 1.8.8

Vendor Apache Software Foundation

Product Apache ORC

Affected ≥ 1.9.0 and ≤ 1.9.5

Vendor Apache Software Foundation

Product Apache ORC

Affected ≥ 2.0.0 and ≤ 2.0.4

Vendor Apache Software Foundation

Product Apache ORC

Affected ≥ 2.1.0 and ≤ 2.1.1