CVE-2025-40913 — Dependency on Vulnerable Third-Party Component in Azl3 TCL 8.6.13-3 ON Azure Linux 3.0

CWE-1395 — Dependency on Vulnerable Third-Party Component3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 76.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Msrc Azl3 TCL 8.6.13-3 ON Azure Linux 3.0 Msrc Cbl2 TCL 8.6.13-3 ON CBL Mariner 2.0

Timeline

PublishedJul 16

Description

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶msrcmsrc/azl3_tcl_8.6.13-3_on_azure_linux_3.0

▶msrcmsrc/cbl2_tcl_8.6.13-3_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-x86q-3xjx-wg89: Net::Dropbear versions through 0↗2025-07-16

▶

📋Vendor Advisories

Microsoft

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow↗2025-07-08

▶