CVE-2023-40222

High

Published: 04 February 2025

Published

04 February 2025

Modified

16 September 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of user-supplied data when parsing CO files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

Security Summary

CVE-2023-40222 is a heap-based buffer overflow vulnerability (CWE-122) in Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200). The issue arises from a lack of proper validation of user-supplied data during the parsing of CO files, which can trigger the overflow. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-02-04.

A local attacker with no privileges required can exploit this vulnerability by tricking a user into opening a maliciously crafted CO file through the affected application. Successful exploitation allows the attacker to execute arbitrary code in the context of the current process, potentially leading to high confidentiality, integrity, and availability impacts.

The CISA ICS Advisory ICSA-23-299-03, available at https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-03, provides details on mitigation strategies for this vulnerability.

Details

CWE(s): CWE-122

Affected Products

ashlar

cobalt

≤ 12.4.1204.200

References

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-03
Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov