CVE-2025-47436CRITICAL 9.8EPSS p36.4%

CVE-2025-47436CVE-2025-47436

Description

Heap-based Buffer Overflow vulnerability in Apache ORC. A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption. This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1. Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.4% · 2026-06-18T12:00:27Z
Published2025-05-14
Last modified2025-07-14

Underlying weaknesses· 1

CWE-122

References

  1. https://lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrn
  2. https://orc.apache.org/security/CVE-2025-47436/
  3. http://www.openwall.com/lists/oss-security/2025/05/13/4

1

TypeTargetConfidenceTier
WeaknessHeap-based Buffer Overflowcwe-1220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-44905
CVE
CVE-2026-4424
CVE
CVE-2025-44904
CVE
CVE-2026-42250
CVE
CVE-2025-30065
CVE
CVE-2025-1864
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.