CVE-2025-52937
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-23
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the PointCloudLibrary's (PCL) crc32_big() function, which is a cloned implementation of a big-endian CRC32 calculation from the zlib library. The issue arises from unsafe pointer operationsβspecifically pre-decrement and pre-increment on buffer pointersβthat can lead to incorrect memory access or buffer underflow during CRC computation. This can cause memory corruption or unexpected behavior when calculating CRC32 checksums. The vulnerability affects PCL versions older than 1.14.0 or when the system zlib is not used (WITH_SYSTEM_ZLIB=FALSE). [1, 2]
How can this vulnerability impact me? :
The vulnerability can lead to incorrect memory access or buffer underflow during CRC32 checksum calculations, potentially causing memory corruption or crashes in applications using the affected PCL versions. This may result in unstable software behavior or security risks related to corrupted data processing within the PointCloudLibrary. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the PointCloudLibrary (PCL) installed on your system. Specifically, verify if the PCL version is older than 1.14.0 or if the build configuration disables the use of the system zlib library (WITH_SYSTEM_ZLIB=FALSE). You can check the PCL version by running a command like `pcl_version` if available, or by inspecting the installed package version via your package manager, e.g., `dpkg -l | grep pcl` on Debian-based systems or `rpm -qa | grep pcl` on RPM-based systems. Additionally, check the build configuration or compilation flags to see if WITH_SYSTEM_ZLIB is set to FALSE. There are no specific network detection commands since this is a library vulnerability related to local code execution. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the PointCloudLibrary (PCL) to version 1.14.0 or later, which includes the fix. Alternatively, ensure that the build configuration uses the system-installed zlib library by setting WITH_SYSTEM_ZLIB=TRUE during compilation. If upgrading is not possible, apply the patch that fixes the unsafe pointer operations in the crc32_big() function as described in the fix commits. Avoid using vulnerable versions of PCL or configurations that disable system zlib to prevent exploitation of this vulnerability. [1, 2]