CVE-2025-47256

NameCVE-2025-47256
DescriptionLibxmp through 4.6.2 has a stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libxmp (PTS)bullseye4.4.1-3vulnerable
bookworm4.5.0-2vulnerable
sid, trixie4.6.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libxmpsource(unstable)(unfixed)

Notes

https://github.com/libxmp/libxmp/issues/847
https://github.com/libxmp/libxmp/pull/848
Fixed by: https://github.com/libxmp/libxmp/commit/004a102c5a75ad809fc309ff73ce8d0f9ab3e456

Search for package or bug name: Reporting problems