CVE-2025-2849

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2849
A vulnerability, which was classified as problematic, was found in UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT of the file src/p_lx_elf.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The patch is identified as e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. It is recommended to apply a patch to fix this issue.

3.3 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References
Link Resource
https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2 Patch
https://github.com/upx/upx/issues/898 Exploit Issue Tracking
https://github.com/upx/upx/issues/898#issuecomment-2734082143 Exploit Issue Tracking
https://github.com/user-attachments/files/19307868/input.zip Product
https://vuldb.com/?ctiid.301494 Permissions Required VDB Entry
https://vuldb.com/?id.301494 Third Party Advisory VDB Entry
https://vuldb.com/?submit.522371 Third Party Advisory VDB Entry
https://github.com/upx/upx/issues/898#issuecomment-2734082143 Exploit Issue Tracking
Configurations

Configuration 1 (hide)

cpe:2.3:a:upx:upx:*:*:*:*:*:*:*:*
History

11 Apr 2025, 16:09

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad clasificada como problemática en UPX hasta la versión 5.0.0. La función PackLinuxElf64::un_DT_INIT del archivo src/p_lx_elf.cpp está afectada. La manipulación provoca un desbordamiento del búfer en el montón. Es posible lanzar el ataque contra el host local. Se ha hecho público el exploit y puede que sea utilizado. El parche se identifica como e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. Se recomienda aplicar un parche para solucionar este problema.
First Time Upx
Upx upx
References () https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2 - () https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2 - Patch
References () https://github.com/upx/upx/issues/898 - () https://github.com/upx/upx/issues/898 - Exploit, Issue Tracking
References () https://github.com/upx/upx/issues/898#issuecomment-2734082143 - () https://github.com/upx/upx/issues/898#issuecomment-2734082143 - Exploit, Issue Tracking
References () https://github.com/user-attachments/files/19307868/input.zip - () https://github.com/user-attachments/files/19307868/input.zip - Product
References () https://vuldb.com/?ctiid.301494 - () https://vuldb.com/?ctiid.301494 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.301494 - () https://vuldb.com/?id.301494 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.522371 - () https://vuldb.com/?submit.522371 - Third Party Advisory, VDB Entry
CPE cpe:2.3:a:upx:upx:*:*:*:*:*:*:*:*
CWE CWE-787

27 Mar 2025, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-27 14:15

Updated : 2025-04-11 16:09

NVD link : CVE-2025-2849

Mitre link : CVE-2025-2849

CVE.ORG link : CVE-2025-2849

JSON object : View

Products Affected

upx

  • upx
CWE
CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write