CVE-2025-62526
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-30

Assigner: GitHub, Inc.

Description
OpenWrt Project is a Linux operating system targeting embedded devices. Prior to version 24.10.4, ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon. The affected code is executed before running the ACL checks, all ubus clients are able to send such messages. In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL. This is fixed in OpenWrt 24.10.4. There are no workarounds.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-30
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62526
EUVD
EUVD-2025-35591
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openwrt openwrt to 24.10.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62526 is a high-severity vulnerability in the OpenWrt package 'ubusd' prior to version 24.10.4. It is a heap buffer overflow in the event registration parsing code, which allows an attacker to corrupt the heap and potentially execute arbitrary code within the context of the ubus daemon. This vulnerable code runs before access control checks, so any ubus client can exploit it. Additionally, the crafted subscription used to trigger the overflow bypasses the listen ACL, increasing the attack surface. The vulnerability requires low privileges and no user interaction. [1]

Impact Analysis

This vulnerability can allow an attacker with local access and low privileges to execute arbitrary code within the ubus daemon, potentially leading to system compromise. It can cause heap corruption and bypass access controls, which may result in unauthorized actions or denial of service. The confidentiality and integrity impacts are low, but the availability impact is high, meaning it can disrupt the normal operation of the affected device. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the OpenWrt ubusd package to version 24.10.4 or later, where the heap buffer overflow and ACL bypass issues have been fixed. There are no workarounds available, so applying the official security update is necessary to protect your system. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart