Heap Buffer Overflow in OpenWrt Ubusd Affects Embedded Devices
CVE-2025-62526

7.9HIGH

Key Information:

Vendor

Openwrt

Status
Openwrt
Vendor
CVE Published:
22 October 2025

What is CVE-2025-62526?

The OpenWrt Project, a Linux operating system designed for embedded devices, contains a vulnerability in the ubusd service prior to version 24.10.4. This vulnerability is a heap buffer overflow in the event registration parsing code, which can allow attackers to manipulate the memory head and potentially execute arbitrary code in the memory context of the ubus daemon. The flaw occurs before running Access Control List (ACL) checks, making it possible for any ubus client to send harmful messages. Additionally, this crafted subscription allows an attacker to bypass the listen ACL restrictions, which could further compromise system integrity. The issue is currently addressed and patched in OpenWrt version 24.10.4.

Affected Version(s)

openwrt < 24.10.4

References

https://github.com/openwrt/openwrt/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openwrt/openwrt/commit/4b907e69ea58fc0...
x_refsource_MISC
https://github.com/openwrt/openwrt/commit/a7901969932a175...
x_refsource_MISC

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62526 : Heap Buffer Overflow in OpenWrt Ubusd Affects Embedded Devices