CVE-2025-5222 — Classic Buffer Overflow in International Components FOR Unicode

CWE-120 — Classic Buffer Overflow6 documents6 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 86.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

9

Unicode International Components FOR Unicode Debian ICU Msrc Azl3 ICU 72.1.0.3-2 ON Azure Linux 3.0 +6 more

Timeline

PublishedMay 27

Description

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages9 packages

▶NVDunicode/international_components< 77.1

▶debiandebian/icu< icu 72.1-3+deb12u1 (bookworm)

▶msrcmsrc/azl3_icu_72.1.0.3-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_icu_68.2.0.9-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_icu_68.2.0.9-2_on_cbl_mariner_2.0

🔴Vulnerability Details

2

GHSA

GHSA-wv79-2fc4-v4hj: A stack buffer overflow was found in Internationl components for unicode (ICU )↗2025-05-27

▶

OSV

CVE-2025-5222: A stack buffer overflow was found in Internationl components for unicode (ICU )↗2025-05-27

▶

📋Vendor Advisories

3

Microsoft

Icu: stack buffer overflow in the srbroot::addtag function↗2025-05-13

▶

Debian

CVE-2025-5222: icu - A stack buffer overflow was found in Internationl components for unicode (ICU )....↗2025

▶

Red Hat

icu: Stack buffer overflow in the SRBRoot::addTag function↗2024-11-14

▶