Heap-based Buffer Over-read in GNU PSPP Affecting Versions up to 2.0.1
CVE-2025-48188

2.9LOW

Key Information:

Vendor: Gnu
Status: Pspp
Vendor: CVE Published:; 16 May 2025

What is CVE-2025-48188?

The GNU PSPP software, up to version 2.0.1, contains a vulnerability within the libpspp-core.a library that stems from an improper function call in the encrypted file handling process. Specifically, the fill_buffer function invokes the Gnulib rijndaelDecrypt function incorrectly, resulting in a potential heap-based buffer over-read. This flaw could be exploited to access sensitive data or cause unintended behaviors within the application.

Affected Version(s)

PSPP 0 <= 2.0.1

References

https://savannah.gnu.org/bugs/?67079

CVSS V3.1

Score:

2.9

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
May 16, 2025