CVE-2025-65410

low-risk

Published 2025-12-23

A stack overflow in the src/main.c component of GNU Unrtf v0.21.10 allows attackers to cause a Denial of Service (DoS) via injecting a crafted input into the filename parameter.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.2/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Unrtf

Affected Vendors

Unrtf Project

References (5)

Exploit https://github.com/MAXEUR5/Vulnerability_Disclosures/blob/main/2025/CVE-2025-654...

Broken Link https://hg.savannah.gnu.org/hgweb/unrtf/rev/a5d3b025a8b1

Mailing List https://lists.gnu.org/archive/html/bug-unrtf/2025-11/msg00001.html

Product https://savannah.gnu.org/projects/unrtf/

Product https://www.gnu.org/software/unrtf/

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal