CVE-2025-47436
6
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/RE:M/U:Amber
Summary
Heap-based Buffer Overflow vulnerability in Apache ORC.
A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.
This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.
Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache ORC | 0 <= 1.8.8 | affected |
| Apache Software Foundation | Apache ORC | 1.9.0 <= 1.9.5 | affected |
| Apache Software Foundation | Apache ORC | 2.0.0 <= 2.0.4 | affected |
| Apache Software Foundation | Apache ORC | 2.1.0 <= 2.1.1 | affected |
Weaknesses
- CWE-122: CWE-122 Heap-based Buffer Overflow
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://orc.apache.org/security/CVE-2025-47436/
- https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.