Heap-based Buffer Overflow in Ashlar-Vellum Cobalt Allows Remote Code Execution
CVE-2025-2019

7.8HIGH

Key Information:

Vendor: Ashlar-vellum
Status: Cobalt
Vendor: CVE Published:; 11 March 2025

🔔 Create Ashlar-vellum Vulnerability Alert

What is CVE-2025-2019?

A vulnerability in Ashlar-Vellum Cobalt allows for the execution of arbitrary code through a heap-based buffer overflow. Specifically, this flaw occurs during the parsing of VC6 files, where the application fails to adequately validate the length of user-supplied data prior to copying it to a heap-based buffer. As a consequence, remote attackers can exploit this vulnerability by enticing users to visit malicious web pages or open compromised files, leading to potential code execution within the context of the affected installation.

Affected Version(s)

Cobalt 1204.91

References

https://www.zerodayinitiative.com/advisories/ZDI-25-123/

x_research-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Mar 5, 2025