CVE-2025-15536
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in BYVoid OpenCC MaxMatchSegmentation

Publication date: 2026-01-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15536
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
byvoid opencc to 1.1.9 (inc)
byvoid open_chinese_convert to 1.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15536 is a heap-based buffer overflow vulnerability in BYVoid OpenCC up to version 1.1.9. It occurs in the function opencc::MaxMatchSegmentation::Segment within src/MaxMatchSegmentation.cpp, where improper boundary checking causes the program to read one byte beyond the allocated heap buffer when processing specially crafted input strings. This leads to out-of-bounds memory access, which can cause application crashes or undefined behavior. The vulnerability is related to handling of UTF-8 input sequences, where the code fails to properly validate character lengths against the remaining buffer size, resulting in heap out-of-bounds reads and potential information disclosure. [1, 2, 4, 5, 6]

Impact Analysis

This vulnerability can impact you by causing application crashes or undefined behavior due to heap-buffer-overflow reads when processing maliciously crafted input locally. It may also lead to potential information disclosure by leaking unintended heap memory bytes into the output during conversion. Since exploitation requires local access, an attacker with local privileges could exploit this flaw to disrupt service availability or gain unauthorized access to sensitive information in memory. The exploit is publicly available and considered easy to execute, increasing the risk of exploitation if the system is not patched. [1, 2, 4, 5, 6]

Detection Guidance

This vulnerability can be detected by building OpenCC with AddressSanitizer (ASan) enabled and running it with specially crafted input that triggers the heap-buffer-overflow. The ASan runtime will detect out-of-bounds reads and provide detailed error reports. To reproduce the issue, compile OpenCC with flags like `-fsanitize=address -g` in Release mode and run the OpenCC harness or test suite with a crafted input file designed to trigger the overflow. Specific commands include building OpenCC with ASan and running the test harness with the crafted input. No network detection commands are applicable since the attack requires local execution. [1, 4]

Mitigation Strategies

The immediate mitigation step is to apply the official patch identified by commit `345c9a50ab07018f1b4439776bad78a0d40778ec` which fixes the heap-buffer-overflow by adding proper boundary checks and handling of malformed or truncated UTF-8 input sequences. Deploying this patch or upgrading to a fixed version of BYVoid OpenCC beyond 1.1.9 is recommended. Additionally, avoid processing untrusted or malformed UTF-8 input until the patch is applied. Since exploitation requires local access, restricting local user permissions and monitoring for suspicious local activity can also help mitigate risk. [2, 5, 6]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15536. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart