CVE-2025-6603
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-06-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-189 | |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6603 is an integer overflow vulnerability in the qCUDA project, specifically in the function qcow_make_empty in the file qcow.c. The vulnerability arises from unsafe 32-bit multiplication when calculating the L1 table size (s->l1_size). If s->l1_size is large enough, multiplying it by 8 (the size of uint64_t) causes the value to overflow the 32-bit limit, wrapping around to zero or an incorrect value. This corrupted value is then used in a truncation function, leading to improper truncation and potential data corruption. [1, 3]
How can this vulnerability impact me? :
This vulnerability can impact the confidentiality, integrity, and availability of the system. The integer overflow can cause incorrect memory allocation and data truncation, potentially leading to data corruption or loss. Exploitation requires local access and is considered easy, but no public exploit is currently available. The improper truncation caused by the overflow can disrupt normal operation and compromise system stability. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local integer overflow in the qCUDA project's function qcow_make_empty related to the argument s->l1_size. Detection involves verifying if the vulnerable version of qCUDA is present on your system, specifically checking the commit up to db0085400c2f2011eed46fbc04fdc0873141688e. Since it requires local access and no remote exploit exists, network detection is not applicable. You can check the qCUDA version or source code commit with commands like `git log -1` in the qCUDA directory or verify the presence of the vulnerable file `qCUDA/qcu-device/block/qcow.c`. Additionally, monitoring for abnormal truncation or data corruption related to L1 table size in qCUDA logs or behavior might indicate exploitation attempts. No specific detection commands are provided in the resources. [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to systems running the vulnerable qCUDA version to prevent exploitation, as the attack requires local privileges. Since no known countermeasures or patches are currently available, it is recommended to replace the affected component with an alternative product or avoid using the vulnerable function. Monitoring for unusual behavior or data corruption related to qCUDA is also advised. Applying any future patches or updates from the qCUDA project once available is important. [2]