PT-2025-33092 · Lattice Semiconductor · Ispvm System
Published
2025-08-13
·
Updated
2025-08-14
·
CVE-2012-10057
CVSS v4.0
8.4
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
Lattice Semiconductor ispVM System version 18.0.2
Description:
Lattice Semiconductor ispVM System version 18.0.2 contains a buffer overflow issue in the handling of
.xcf project files. When parsing the version attribute of the ispXCF XML tag, the application does not properly validate the input length. This allows a specially crafted file to overwrite memory on the stack, potentially leading to arbitrary code execution in the context of the user opening the file. The issue is triggered locally by opening a malicious .xcf file and does not require elevated privileges.Recommendations:
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Stack Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ispvm System