Unrated severityNVD Advisory· Published May 14, 2025· Updated May 14, 2025
Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression
CVE-2025-47436
Description
Heap-based Buffer Overflow vulnerability in Apache ORC.
A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.
This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.
Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- orc.apache.org/security/CVE-2025-47436/mitrevendor-advisory
- lists.apache.org/thread/kd6tlv8fs5jybmsgxr4vrkdxyc866wrnmitremailing-list
News mentions
0No linked articles in our index yet.