#VU106281 Heap-based buffer overflow in UPX - CVE-2025-2849

Cybersecurity Help s.r.o.

Published: 2025-03-31

Vulnerability identifier: #VU106281

Vulnerability risk: Medium

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-2849

CWE-ID: CWE-122

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
UPX
Universal components / Libraries / Libraries used by multiple products

Vendor: UPX

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the PackLinuxElf64::un_DT_INIT() function in p_lx_elf.cpp. A remote attacker can trick the victim into using a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

UPX: 1.10 - 5.0.0

External links
https://github.com/upx/upx/commit/e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2
https://github.com/upx/upx/issues/898

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 41 update for upx

Fedora 42 update for upx

Fedora EPEL 9 update for upx

Fedora 40 update for upx

Remote code execution in UPX