CVE-2025-47436
Published: May 14, 2025
Modified: May 14, 2025
Description
Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache ORC | affected 0 - <= 1.8.8affected 1.9.0 - <= 1.9.5affected 2.0.0 - <= 2.0.4affected 2.1.0 - <= 2.1.1 |
Weaknesses (CWE)
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now