CVE-2025-5898

low-risk
Published 2025-06-09

A vulnerability classified as critical has been found in GNU PSPP 82fb509fb2fedd33e7ac0c46ca99e108bb3bdffb. Affected is the function parse_variables_option of the file utilities/pspp-convert.c. The manipulation leads to out-of-bounds write. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
LOCAL / LOW complexity

References (7)

https://drive.google.com/file/d/1ZigqDFZQn5YUWFLu1V2juDGWQgbJFAtX/view?usp=shari...
https://savannah.gnu.org/bugs/index.php?67071
https://vuldb.com/?ctiid.311670
https://vuldb.com/?id.311670
https://vuldb.com/?submit.586105
https://www.gnu.org/
https://savannah.gnu.org/bugs/index.php?67071
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal