CVE-2025-2338

CVE-2025-2338 is a heap-based buffer overflow vulnerability classified as critical in tbeu/matio version 1.5.28. The issue affects the strdup_vprintf function in the src/io.c file, where manipulation can trigger the overflow. It was published on 2025-03-16 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening a malicious file processed by the affected component. Successful exploitation may result in low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), potentially leading to memory corruption, denial of service, or limited data tampering depending on the context.

Advisories and details are documented in GitHub issues at https://github.com/tbeu/matio/issues/269 and https://github.com/tbeu/matio/issues/269#issue-2883920922, along with VulDB entries at https://vuldb.com/?ctiid.299802, https://vuldb.com/?id.299802, and https://vuldb.com/?submit.510781. The exploit has been publicly disclosed and may be used by attackers.

Notable context includes the public availability of the exploit, increasing the risk for systems using tbeu/matio 1.5.28 that process untrusted inputs.