CVE-2025-5222

NameCVE-2025-5222
DescriptionA stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4217-1
Debian Bugs1106684

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icu (PTS)bullseye67.1-7vulnerable
bullseye (security)67.1-7+deb11u1fixed
bookworm72.1-3vulnerable
sid, trixie76.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icusourcebullseye67.1-7+deb11u1DLA-4217-1
icusource(unstable)76.1-41106684

Notes

https://unicode-org.atlassian.net/browse/ICU-22957
Fixed by: https://github.com/unicode-org/icu/commit/2c667e31cfd0b6bb1923627a932fd3453a5bac77 (release-77-rc)

Search for package or bug name: Reporting problems