CVE-2025-61023
Deferred Deferred - Pending Action
Denial of Service in Virtuoso Open-Source Database

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: MITRE

Description
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2025-61023
EUVD
EUVD-2025-210318
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openlink virtuoso-opensource 7.2.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the st_compare component of openlink virtuoso-opensource version 7.2.11. It allows attackers to cause a Denial of Service (DoS) by executing specially crafted SQL statements. The issue arises during the execution of SQL queries involving sorting and grouping operations, where the st_compare function crashes, leading to a failure in the database system.

Specifically, a fuzzer discovered that certain complex SQL queries, such as those creating tables with check constraints and inserting data with grouping, trigger a crash in the st_compare function. This crash is related to memory management functions like bsearch and qsort_r, indicating a problem in how the database handles sorting during query execution.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) condition in the openlink virtuoso-opensource database system. An attacker can exploit this by sending crafted SQL queries that crash the st_compare function, potentially making the database unavailable or unstable.

As a result, legitimate users may be unable to access or use the database while it is in a crashed or unstable state, leading to service interruptions and potential loss of availability for applications relying on this database.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the crash using crafted SQL queries that trigger the st_compare function. Specifically, executing SQL statements involving table creation with check constraints and complex grouping operations may cause the Denial of Service condition.

One practical approach is to run the Proof of Concept (PoC) SQL query reported in the GitHub issue within a test environment running openlink virtuoso-opensource v7.2.11 or a similar setup, such as a beta Docker image.

  • Use a Docker container with the vulnerable version to safely test the PoC.
  • Execute the problematic SQL query involving table creation with check constraints and complex grouping to observe if the service crashes.
Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the Denial of Service vulnerability in the st_compare component of openlink virtuoso-opensource v7.2.11, avoid executing or allowing execution of crafted SQL statements that involve complex sorting and grouping operations, especially those similar to the Proof of Concept queries that trigger the crash.

If possible, run the software in a controlled environment such as a Docker container to monitor and limit the impact of potential crashes.

Monitor the official project repository and issue tracker for patches or updates that address this vulnerability and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61023. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart