CVE-2025-47868
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-16

Last updated on: 2025-06-17

Assigner: Apache Software Foundation

Description
Out-of-bounds Write resulting in possible Heap-based Buffer Overflow vulnerability was discovered in tools/bdf-converter font conversion utility that is part of Apache NuttX RTOS repository. This standalone program is optional and neither part of NuttX RTOS nor Applications runtime, but active bdf-converter users may be affected when this tool is exposed to external provided user data data (i.e. publicly available automation). This issue affects Apache NuttX: from 6.9 before 12.9.0. Users are recommended to upgrade to version 12.9.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-16
Last Modified
2025-06-17
Generated
2026-05-07
AI Q&A
2025-06-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-47868
EUVD
EUVD-2025-18391
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache nuttx From 6.9 (inc) to 12.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

Users should immediately upgrade the Apache NuttX tools/bdf-converter utility to version 12.9.0 or later, as this version contains the fix for the vulnerability by correcting the loop termination condition. Avoid exposing the bdf-converter tool to externally provided user data until the upgrade is applied. [1]


Can you explain this vulnerability to me?

This vulnerability is an out-of-bounds write in the tools/bdf-converter font conversion utility of Apache NuttX RTOS. It occurs due to an incorrect loop termination condition in the bitmap reading logic, which can lead to a heap-based buffer overflow. This means that when the tool processes specially crafted input data, it may write outside the allocated memory bounds, potentially causing crashes or other unintended behavior. The vulnerability affects versions from 6.9 up to but not including 12.9.0 and has been fixed by changing the loop control from a boolean based on input data to a counter-based approach that ensures proper termination. [1, 2]


How can this vulnerability impact me? :

If you actively use the bdf-converter tool and expose it to external user-provided data, this vulnerability could allow an attacker to cause a heap-based buffer overflow. This may lead to application crashes, denial of service, or potentially arbitrary code execution depending on how the tool is used. Since the tool is standalone and optional, only users who process untrusted font data with bdf-converter are at risk. Upgrading to version 12.9.0 mitigates this risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart