UBUNTU-CVE-2025-62496

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-62496

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62496.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-62496

Upstream

CVE-2025-62496

Published

2025-10-16T16:15:00Z

Modified

2026-05-20T16:23:39.952604836Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVSS Calculator
8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A vulnerability exists in the QuickJS engine's BigInt string parsing logic (jsbigintfromstring) when attempting to create a BigInt from a string with an excessively large number of digits. The function calculates the necessary number of bits (nbits) required to store the BigInt using the formula: $$\text{n_bits} = (\text{n_digits} \times 27 + 7) / 8 \quad (\text{for radix 10})$$ * For large input strings (e.g., $79,536,432$ digits or more for base 10), the intermediate calculation $(\text{n_digits} \times 27 + 7)$ exceeds the maximum value of a standard signed 32-bit integer, resulting in an Integer Overflow. * The resulting nbits value becomes unexpectedly small or even negative due to this wrap-around. * This flawed nbits is then used to compute nlimbs, the number of memory "limbs" needed for the BigInt object. Since nbits is too small, the calculated nlimbs is also significantly underestimated. * The function proceeds to allocate a JSBigInt object using this underestimated nlimbs. * When the function later attempts to write the actual BigInt data into the allocated object, the small buffer size is quickly exceeded, leading to a Heap Out-of-Bounds Write as data is written past the end of the allocated r->tab array.

References

Affected packages

Ubuntu:Pro:24.04:LTS / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2021.*

2021.03.27-1

2021.03.27-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2021.03.27-1ubuntu0.1~esm1",
            "binary_name": "libquickjs"
        },
        {
            "binary_version": "2021.03.27-1ubuntu0.1~esm1",
            "binary_name": "quickjs"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62496.json"

Ubuntu:25.10 / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2024.*

2024.01.13-5

2025.*

2025.04.26-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2025.04.26-1",
            "binary_name": "libquickjs"
        },
        {
            "binary_version": "2025.04.26-1",
            "binary_name": "quickjs"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62496.json"

Ubuntu:26.04:LTS / quickjs

Package

Name: quickjs
Purl: pkg:deb/ubuntu/quickjs?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2025.*

2025.04.26-1

2025.04.26-1build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "2025.04.26-1build1",
            "binary_name": "libquickjs"
        },
        {
            "binary_version": "2025.04.26-1build1",
            "binary_name": "quickjs"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-62496.json"