CVE-2025-15506

CVE-2025-15506

Name

CVE-2025-15506

Description

A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
issue-tracking	https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228
patch	https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11
issue-tracking	https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231
patch	https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d
exploit	https://github.com/oneafter/1225/blob/main/uaf
signature	https://vuldb.com/?ctiid.340444
vdb-entry	https://vuldb.com/?id.340444
third-party-advisory	https://vuldb.com/?submit.733332

Type

URI

issue-tracking

https://github.com/AcademySoftwareFoundation/OpenColorIO/issues/2228

patch

https://github.com/AcademySoftwareFoundation/OpenColorIO/milestone/11

issue-tracking

https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2231

patch

https://github.com/cozdas/OpenColorIO/commit/ebdbb75123c9d5f4643e041314e2bc988a13f20d

exploit

https://github.com/oneafter/1225/blob/main/uaf

signature

https://vuldb.com/?ctiid.340444

vdb-entry

https://vuldb.com/?id.340444

third-party-advisory

https://vuldb.com/?submit.733332

Match rules

Source package	Min version	Max version
opencolorio	== 2.0	== None
opencolorio	== 2.1	== None
opencolorio	== 2.2	== None
opencolorio	== 2.3	== None
opencolorio	== 2.4	== None
opencolorio	== 2.5.0	== None

CPE URI

Source package

Min version

Max version

opencolorio

== 2.0

== None

opencolorio

== 2.1

== None

opencolorio

== 2.2

== None

opencolorio

== 2.3

== None

opencolorio

== 2.4

== None

opencolorio

== 2.5.0

== None

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
opencolorio	edge-community	2.5.1-r0	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.5.0-r3	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.5.0-r2	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.5.0-r1	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.5.0-r0	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.4.2-r1	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.4.2-r0	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.4.1-r0	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	edge-community	2.4.0-r1	Leon Marz <main@lmarz.org>	possibly vulnerable
opencolorio	3.23-community	2.5.0-r1	Leon Marz <main@lmarz.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

opencolorio

edge-community

2.5.1-r0

Leon Marz <main@lmarz.org>

possibly vulnerable

opencolorio

edge-community