Buffer Overflow Vulnerability in Lattice Semiconductor ispVM System
CVE-2012-10057

8.4HIGH

Key Information:

Vendor

Lattice Semiconductor

Status
Ispvm System
Vendor
CVE Published:
13 August 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2012-10057?

The Lattice Semiconductor ispVM System v18.0.2 contains a buffer overflow vulnerability arising from improper validation of input length when handling .xcf project files. This flaw manifests while parsing the version attribute of the ispXCF XML tag, allowing crafted files to overwrite stack memory, thus enabling the execution of arbitrary code in the context of the user opening the file. The exploitation of this vulnerability can be achieved locally by opening a specially designed .xcf file without requiring elevated privileges.

Affected Version(s)

ispVM System 18.0.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2012-10057 - Proof of Concept

CVE-2012-10057 - Proof of Concept

CVE-2012-10057 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://www.exploit-db.com/exploits/18947
exploit
https://web.archive.org/web/20121014002756/http://secunia...
technical-descriptionexploit

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anonymous person via Secunia
.
CVE-2012-10057 : Buffer Overflow Vulnerability in Lattice Semiconductor ispVM System