CVE-2025-5222

Name
CVE-2025-5222
Description
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vdb-entry https://access.redhat.com/security/cve/CVE-2025-5222
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2368600
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:11888
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:12083
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:12331
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:12332
secalert@redhat.com https://access.redhat.com/errata/RHSA-2025:12333

Match rules

CPE URI Source package Min version Max version
shopxo >= 0 < 78.1
cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:*:*:* international_components_for_unicode >= None < 78.1
cpe:2.3:a:unicode:international_components_for_unicode:*:*:*:*:*:*:*:* international_components_for_unicode >= None < 77.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
icu edge-main 76.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
icu 3.23-main 76.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
icu 3.22-main 76.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
icu 3.21-main 74.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
icu 3.20-main 74.2-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
icu 3.19-main 74.1-r1 Natanael Copa <ncopa@alpinelinux.org> fixed