Executive Summary

CVE-2025-69720 is a stack buffer overflow vulnerability in the ncurses utility called infocmp, specifically in the function analyze_string() located in progs/infocmp.c.

The vulnerability occurs because the function copies Control Sequence Introducer (CSI) parameter substrings into a fixed-size 4096-byte stack buffer without properly checking if the length of the input exceeds the buffer size.

If a maliciously crafted terminfo entry contains a very long CSI parameter list, this can cause the buffer to overflow.

This overflow can lead to denial of service or potentially arbitrary code execution with the privileges of the user running infocmp.

However, the vulnerability is triggered only when using the specialized -i option of infocmp, which is rarely used, limiting the attack surface.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a local attacker who can control a terminfo entry (for example, in your $HOME/.terminfo directory or via the TERMINFO environment variable) to cause a denial of service by crashing the infocmp tool.

In some cases, it may allow execution of arbitrary code with the privileges of the user running infocmp, although this is less certain.

The risk is limited because the vulnerable code is only triggered by the -i option of infocmp, which is not commonly used.

Additionally, typical packaged versions of ncurses include compiler security features like stack protection that mitigate exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the ncurses utility `infocmp` with the `-i` option using a specially crafted terminfo entry that contains an overly long Control Sequence Introducer (CSI) parameter list. The vulnerability triggers a stack buffer overflow when `infocmp -i` processes such crafted input.

A practical detection method involves compiling a malicious terminfo source file with a long CSI parameter list using the `tic` command to create a temporary terminfo database, then running `infocmp -i` against this database to observe if a crash or buffer overflow occurs.

• Compile a malicious terminfo source file with a long CSI parameter list using: `tic malicious.terminfo`
• Run the vulnerable tool with the `-i` option: `infocmp -i -T <terminal>` where `<terminal>` points to the crafted terminfo entry

AddressSanitizer (ASan) can be used during compilation of ncurses to detect the buffer overflow during testing, but this is typically not enabled in production builds.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the `infocmp` utility with the `-i` option on untrusted or potentially malicious terminfo entries, as this is the only code path that triggers the vulnerability.

Ensure that your ncurses installation is updated to version 6.5 with the patch released on 2025-12-13 or later, which fixes this buffer overflow vulnerability.

If updating is not immediately possible, restrict access to the `infocmp` tool or the environment variables and files that control terminfo entries (such as `$HOME/.terminfo` and the `TERMINFO` environment variable) to trusted users only.

Use compiler security features such as `-fstack-protector-strong` and runtime protections to mitigate exploitation impact, although these do not replace patching.

Useful 0 Not Useful 0