Heap-based Buffer Over-read in GNU PSPP Affecting Versions up to 2.0.1
CVE-2025-48188

2.9LOW

Key Information:

Vendor

Gnu

Status
Vendor
CVE Published:
16 May 2025

What is CVE-2025-48188?

The GNU PSPP software, up to version 2.0.1, contains a vulnerability within the libpspp-core.a library that stems from an improper function call in the encrypted file handling process. Specifically, the fill_buffer function invokes the Gnulib rijndaelDecrypt function incorrectly, resulting in a potential heap-based buffer over-read. This flaw could be exploited to access sensitive data or cause unintended behaviors within the application.

Affected Version(s)

PSPP 0 <= 2.0.1

References

CVSS V3.1

Score:
2.9
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.