CVE-2025-1788
Published: 01 March 2025
Description
A vulnerability, which was classified as critical, was found in rizinorg rizin up to 0.8.0. This affects the function rz_utf8_encode in the library /librz/util/utf8.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
Security Summary
CVE-2025-1788 is a heap-based buffer overflow vulnerability affecting the rz_utf8_encode function in the /librz/util/utf8.c library of rizinorg rizin versions up to 0.8.0. Classified as critical, it maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow). The issue was published on 2025-03-01.
Exploitation requires local access with low privileges and low attack complexity (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, base score 5.3). A local attacker can manipulate input to the affected function, triggering the heap-based buffer overflow and achieving limited impacts on confidentiality, integrity, and availability.
Mitigation is available via a patch in the rizinorg/rizin pull request #4762, as referenced in GitHub issue #4910. A proof-of-concept exploit has been publicly disclosed, including a ZIP file (rz-bin-poc-01.zip) attached to the issue, and may be used by attackers. Additional details are available on vuldb.com/?ctiid.298011.
Details
- CWE(s)