{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2025/cve-2025-47436-els_os-almalinux9_2esu.json" } ], "tracking": { "current_release_date": "2026-05-06T20:12:20Z", "generator": { "date": "2026-05-06T20:12:20Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-47436-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2025-05-14T14:15:00Z", "revision_history": [ { "date": "2025-05-14T14:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-10-08T17:41:41Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T19:08:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-05-06T20:12:20Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" }, "title": "Security update on CVE-2025-47436" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "orc-0:0.4.31-6.el9.tuxcare.els1.i686", "product": { "name": "orc-0:0.4.31-6.el9.tuxcare.els1.i686", "product_id": "orc-0:0.4.31-6.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc@0.4.31-6.el9.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "product": { "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "product_id": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc-devel@0.4.31-6.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product": { "name": "orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_id": "orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc@0.4.31-6.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product": { "name": "orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_id": "orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc-compiler@0.4.31-6.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product": { "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_id": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc-devel@0.4.31-6.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch", "product": { "name": "orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch", "product_id": "orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/orc-doc@0.4.31-6.el9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "orc-0:0.4.31-6.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.i686" }, "product_reference": "orc-0:0.4.31-6.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "orc-0:0.4.31-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.x86_64" }, "product_reference": "orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64" }, "product_reference": "orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686" }, "product_reference": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64" }, "product_reference": "orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch" }, "product_reference": "orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-47436", "cwe": { "id": "CWE-122", "name": "Heap-based Buffer Overflow" }, "notes": [ { "category": "description", "text": "Heap-based Buffer Overflow vulnerability in Apache ORC.\n\nA vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.\n\nThis issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.\n\nUsers are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "other", "text": "TuxCare has assessed that this vulnerability does not impact any currently supported TuxCare products. This evaluation may change as new information becomes available. For additional details regarding this vulnerability and affected products, refer to the provided references.", "title": "Statement" } ], "product_status": { "known_not_affected": [ "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-47436" }, { "category": "external", "summary": "https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn", "url": "https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn" }, { "category": "external", "summary": "https://orc.apache.org/security/CVE-2025-47436/", "url": "https://orc.apache.org/security/CVE-2025-47436/" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2025/05/13/4", "url": "http://www.openwall.com/lists/oss-security/2025/05/13/4" } ], "release_date": "2025-05-14T14:15:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Critical" }, { "category": "impact", "details": "Not affected: the installed package orc-0.4.31 is GStreamer ORC (Oil Run‑time Compiler), which is a different project entirely from Apache ORC. CVE-2025-47436 applies only to Apache ORC’s C++ LZO decompression code in versions ≤1.8.8, 1.9.0–1.9.5, 2.0.0–2.0.4, and 2.1.0–2.1.1; GStreamer ORC 0.4.31 does not include Apache ORC code or any LZO decompressor. Accordingly, the vulnerable code path is absent and this CVE does not impact this package.", "product_ids": [ "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-compiler-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.i686", "AlmaLinux-9.2:orc-devel-0:0.4.31-6.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:orc-doc-0:0.4.31-6.el9.tuxcare.els1.noarch" ] } ] } ] }