CVE-2025-5222
published 2025-05-27CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the…
PriorityP433high7CVSS 3.1
AVLACHPRNUIRSUCHIHAH
EPSS
0.30%
21.3th percentile
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | icu | < icu 72.1-3+deb12u1 (bookworm) | icu 72.1-3+deb12u1 (bookworm) |
| msrc | azl3_icu_72.1.0.3-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-9_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_icu_68.2.0.9-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_icu_68.2.0.9-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.20.3-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| unicode | international_components_for_unicode | < 77.1 | 77.1 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.0HIGH
vendor_debian7.0HIGH
vendor_msrc7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Icu: stack buffer overflow in the srbroot::addtag function
vendor_msrc·2025-05-13·CVSS 7.0
CVE-2025-5222 [HIGH] CWE-120 Icu: stack buffer overflow in the srbroot::addtag function
Icu: stack buffer overflow in the srbroot::addtag function
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://
Debian
CVE-2025-5222: icu - A stack buffer overflow was found in Internationl components for unicode (ICU )....
vendor_debian·2025·CVSS 7.0
CVE-2025-5222 [HIGH] CVE-2025-5222: icu - A stack buffer overflow was found in Internationl components for unicode (ICU )....
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Scope: local
bookworm: resolved (fixed in 72.1-3+deb12u1)
bullseye: resolved (fixed in 67.1-7+deb11u1)
forky: resolved (fixed in 76.1-4)
sid: resolved (fixed in 76.1-4)
trixie: resolved (fixed in 76.1-4)
Red Hat
icu: Stack buffer overflow in the SRBRoot::addTag function
vendor_redhat·2024-11-14·CVSS 7.0
CVE-2025-5222 [HIGH] CWE-120 icu: Stack buffer overflow in the SRBRoot::addTag function
icu: Stack buffer overflow in the SRBRoot::addTag function
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation bas
GHSA
GHSA-wv79-2fc4-v4hj: A stack buffer overflow was found in Internationl components for unicode (ICU )
ghsa_unreviewed·2025-05-27
CVE-2025-5222 [HIGH] CWE-120 GHSA-wv79-2fc4-v4hj: A stack buffer overflow was found in Internationl components for unicode (ICU )
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
OSV
CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU )
osv·2025-05-27·CVSS 7.0
CVE-2025-5222 [HIGH] CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU )
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function
bugzilla·2025-05-26·CVSS 7.0
CVE-2025-5222 [HIGH] CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function
CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function
A stack buffer overflow was found in ICU version 76.0.1. While running the genrb binary the 'subtag' struct is overflowed in SRBRoot::addTag function. This may lead to memory corruption and arbitrary code execution.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2025:11888 https://access.redhat.com/errata/RHSA-2025:11888
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:12083 https://access.redhat.com/errata/RHSA-2025:12083
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Via RHSA-2025:12331 https://access.redhat.com/errat
Bugzilla
CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function [fedora-42]
bugzilla·2025-05-26·CVSS 7.0
CVE-2025-5222 [HIGH] CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function [fedora-42]
CVE-2025-5222 icu: Stack buffer overflow in the SRBRoot::addTag function [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2368600
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Pac
https://access.redhat.com/errata/RHSA-2025:11888https://access.redhat.com/errata/RHSA-2025:12083https://access.redhat.com/errata/RHSA-2025:12331https://access.redhat.com/errata/RHSA-2025:12332https://access.redhat.com/errata/RHSA-2025:12333https://access.redhat.com/security/cve/CVE-2025-5222https://bugzilla.redhat.com/show_bug.cgi?id=2368600https://unicode-org.atlassian.net/jira/software/c/projects/ICU/issues/ICU-22957https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html
2025-05-27
Published