QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10057

Published: Aug 13, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

Lattice Semiconductor ispVM System v18.0.2 contains a buffer overflow vulnerability in its handling of .xcf project files. When parsing the version attribute of the ispXCF XML tag, the application fails to properly validate input length, allowing a specially crafted file to overwrite memory on the stack. This can result in arbitrary code execution under the context of the user who opens the file. The vulnerability is triggered locally by opening a malicious .xcf file and does not require elevated privileges.

Vendor	Product	Versions
Lattice Semiconductor	ispVM System	affected `18.0.2`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb

exploit

https://www.exploit-db.com/exploits/18947

exploit

https://web.archive.org/web/20121014002756/http://secunia.com/advisories/48740/

technical-description

exploit

https://www.latticesemi.com/ispvm

product

https://www.vulncheck.com/advisories/lattice-semiconductor-ispvm-system-xcf-file-handling-buffer-overflow

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.