AZL-61829

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61829.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-61829

Upstream

CVE-2025-47436

Published

2025-05-14T14:15:30Z

Modified

2026-04-21T04:31:51.160446Z

Summary

CVE-2025-47436 affecting package orc 0.4.31-4

Details

Heap-based Buffer Overflow vulnerability in Apache ORC.

A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.

This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.

Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47436

Affected packages

Azure Linux:2 / orc

Package

Name: orc
Purl: pkg:rpm/azure-linux/orc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.4.31-4

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61829.json"