CVE-2025-5222

EUVD-2025-16306
A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7 HIGH
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
redhatCNA
7 HIGH
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
unicodeinternational_components_for_unicode
𝑥
< 77.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icu
bookworm
72.1-3+deb12u1
fixed
bookworm (security)
72.1-3+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
67.1-7+deb11u1
fixed
forky
78.2-2
fixed
sid
78.2-2
fixed
trixie
76.1-4
fixed
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2025:11888
https://access.redhat.com/errata/RHSA-2025:12083
https://access.redhat.com/errata/RHSA-2025:12331
https://access.redhat.com/errata/RHSA-2025:12332
https://access.redhat.com/errata/RHSA-2025:12333
https://access.redhat.com/security/cve/CVE-2025-5222
https://bugzilla.redhat.com/show_bug.cgi?id=2368600
https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html