CVE-2025-61908 — NULL Pointer Dereference in Icinga

CWE-476 — NULL Pointer Dereference4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 79.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icinga Icinga2 Icinga

Timeline

PublishedOct 16

Description

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDicinga/icinga2.10.0 — 2.13.13+2

▶Debianicinga/icinga2< 2.15.1-1

▶CVEListV5icinga/icinga2>=2.10.0, < 2.13.13, >=2.14.0, < 2.14.7, >=2.15.0, < 2.15.1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Icinga 2 Denial of Service (DoS) By Dereferencing Invalid Reference↗2025-10-16

▶

OSV

CVE-2025-61908: Icinga 2 is an open source monitoring system↗2025-10-16

▶

📋Vendor Advisories

Debian

CVE-2025-61908: icinga2 - Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14...↗2025

▶