Buffer Overflow in Apache ORC Affects Multiple Versions
CVE-2025-47436

6MEDIUM

Key Information:

Vendor: Apache
Status: Apache Orc
Vendor: CVE Published:; 14 May 2025

What is CVE-2025-47436?

A heap-based buffer overflow vulnerability exists in the Apache ORC C++ library's LZO decompression logic. The flaw allows specially crafted malformed ORC files to trigger a memory corruption issue when an attempt is made to copy more data than the allocated buffer can handle, leading to potential security risks. It is critical for users to upgrade to the fixed versions to mitigate these vulnerabilities.

Affected Version(s)

Apache ORC 0 <= 1.8.8

Apache ORC 1.9.0 <= 1.9.5

Apache ORC 2.0.0 <= 2.0.4

References

https://orc.apache.org/security/CVE-2025-47436/

vendor-advisory

https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxy...

mailing-list

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2025
Vulnerability Reserved
May 7, 2025

Credit

Jason Villaluna