CVE-2025-11964

Name	CVE-2025-11964
Description	On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data beyond the end of the provided buffer.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libpcap (PTS)	bullseye	1.10.0-2	fixed
	bookworm	1.10.3-1	fixed
	forky, sid, trixie	1.10.5-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libpcap	source	(unstable)	(not affected)

Notes

- libpcap <not-affected> (Only affects libpcap on Windows)
Fixed by: https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69 (libpcap-1.10.6)