Vulnerability Description
Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Orc | < 1.8.9 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrnMailing ListVendor Advisory
- https://orc.apache.org/security/CVE-2025-47436/Third Party Advisory
- http://www.openwall.com/lists/oss-security/2025/05/13/4Mailing ListThird Party Advisory
FAQ
What is CVE-2025-47436?
CVE-2025-47436 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompres...
How severe is CVE-2025-47436?
CVE-2025-47436 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-47436?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Orc.