CVE-2025-4638

A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.

CVSS

No CVSS.

References

Link	Resource
https://github.com/PointCloudLibrary/pcl/blob/master/surface/CMakeLists.txt#L70
https://github.com/PointCloudLibrary/pcl/commit/502bd2b013ce635f21632d523aa8cf2e04f7b7ac
https://github.com/PointCloudLibrary/pcl/pull/6245

Configurations

No configuration.

History

16 May 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad en el componente inftrees.c de la librería zlib, que se incluye en PointCloudLibrary (PCL). Este problema podría permitir que atacantes dependientes del contexto provoquen un comportamiento indefinido al explotar una aritmética de punteros incorrecta. Desde la versión 1.14.0, PCL utiliza de forma predeterminada una instalación de zlib desde el sistema, a menos que el usuario configure WITH_SYSTEM_ZLIB=FALSE. Por lo tanto, esta posible vulnerabilidad solo es relevante si la versión de PCL es anterior a la 1.14.0 o si el usuario solicita específicamente no usar la zlib del sistema.

15 May 2025, 14:15

Type	Values Removed	Values Added
CWE		CWE-119

14 May 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-14 18:15

Updated : 2025-05-16 14:43

NVD link : CVE-2025-4638

Mitre link : CVE-2025-4638

CVE.ORG link : CVE-2025-4638

JSON object : View

Products Affected

No product.

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2025-4638", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cve_disclosure@tech.gov.sg", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 9.2, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-14T18:15:33.597", "references": [{"url": "https://github.com/PointCloudLibrary/pcl/blob/master/surface/CMakeLists.txt#L70", "source": "cve_disclosure@tech.gov.sg"}, {"url": "https://github.com/PointCloudLibrary/pcl/commit/502bd2b013ce635f21632d523aa8cf2e04f7b7ac", "source": "cve_disclosure@tech.gov.sg"}, {"url": "https://github.com/PointCloudLibrary/pcl/pull/6245", "source": "cve_disclosure@tech.gov.sg"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic.\n\nSince version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib."}, {"lang": "es", "value": "Existe una vulnerabilidad en el componente inftrees.c de la librer\u00eda zlib, que se incluye en PointCloudLibrary (PCL). Este problema podr\u00eda permitir que atacantes dependientes del contexto provoquen un comportamiento indefinido al explotar una aritm\u00e9tica de punteros incorrecta. Desde la versi\u00f3n 1.14.0, PCL utiliza de forma predeterminada una instalaci\u00f3n de zlib desde el sistema, a menos que el usuario configure WITH_SYSTEM_ZLIB=FALSE. Por lo tanto, esta posible vulnerabilidad solo es relevante si la versi\u00f3n de PCL es anterior a la 1.14.0 o si el usuario solicita espec\u00edficamente no usar la zlib del sistema."}], "lastModified": "2025-05-16T14:43:56.797", "sourceIdentifier": "cve_disclosure@tech.gov.sg"}

JSON object

Attach tags to CVE-2025-4638

Attach tags to `CVE-2025-4638`