•
LOW Severity
CVE-2025-48188
Incorrect call leading to a heap-based buffer over-read in GNU PSPP
Overview
The version through 2.0.1 of GNU PSPP has a vulnerability where an inaccurate call from fill_buffer to the Gnulib rijndaelDecrypt function leads to a heap-based buffer over-read.
Technical Details
In libpspp-core.a in GNU PSPP, fill_buffer (in data/encrypted-file.c) incorrectly calls the Gnulib rijndaelDecrypt function which results in a heap-based buffer over-read.
CVSS Metrics
- baseScore: 2.9
- baseSeverity: LOW
- attackVector: LOCAL
- attackComplexity: HIGH
- privilegesRequired: NONE
- userInteraction: NONE
- scope: UNCHANGED
- confidentialityImpact: NONE
- integrityImpact: NONE
- availabilityImpact: LOW
Impact
The exploit impact will largely be low as the vulnerability only allows over-reading existing buffer data, not modifying or deleting it.
Recommendations
It is advised to update to a newer version of GNU PSPP which addresses this vulnerability.
Threat Metrics
- cvss_score: 2.9
- severity: LOW
- attack_vector: LOCAL
- attack_complexity: HIGH