PT-2025-21026 · Apache · Apache Orc
Jason Villaluna
·
Published
2025-05-13
·
Updated
2025-07-14
·
CVE-2025-47436
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Apache ORC versions 1.8.0 through 1.8.8
Apache ORC versions 1.9.0 through 1.9.5
Apache ORC versions 2.0.0 through 2.0.4
Apache ORC versions 2.1.0 through 2.1.1
Description:
A Heap-based Buffer Overflow vulnerability has been identified in the ORC C++ LZO decompression logic. Specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempt to copy 295 bytes into it, resulting in memory corruption.
Recommendations:
For Apache ORC versions 1.8.0 through 1.8.8, upgrade to version 1.8.9.
For Apache ORC versions 1.9.0 through 1.9.5, upgrade to version 1.9.6.
For Apache ORC versions 2.0.0 through 2.0.4, upgrade to version 2.0.5.
For Apache ORC versions 2.1.0 through 2.1.1, upgrade to version 2.1.2.
Fix
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Orc