Cyber Resilience

CVE-2019-25555

MediumPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25555 is a medium-severity Incorrect Calculation of Buffer Size (CWE-131) vulnerability in Pixarra Twistedbrush Pro Studio. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability (CVE-2019-25555) in its Script Recorder component, stemming from improper handling of an excessively large buffer (CWE-131). Local attackers can trigger an application crash by pasting a malicious string of 500,000 characters into the Description field of the Script Recorder dialog. The vulnerability carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating medium severity with high availability impact but no confidentiality or integrity effects.

The attack requires local access to the system running the affected software, with no privileges or user interaction needed beyond opening the Script Recorder dialog. Attackers can achieve a complete denial of service by causing the application to crash, potentially disrupting user workflows or legitimate operations dependent on TwistedBrush Pro Studio.

Advisories and related resources include a proof-of-concept exploit published on Exploit-DB (exploit ID 46844), a detailed advisory from Vulncheck on the TwistedBrush Pro Studio Script Recorder denial of service, and the vendor's site at pixarra.com. No specific patch or mitigation details are outlined in the available information.

EU & UK References

Vulnerability details

TwistedBrush Pro Studio 24.06 contains a denial of service vulnerability in the Script Recorder component that allows local attackers to crash the application by supplying an excessively large buffer. Attackers can paste a malicious string containing 500,000 characters into the…

more

Description field of the Script Recorder dialog to trigger an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Local buffer mishandling leads directly to application crash, matching Endpoint DoS via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20049Shared CWE-131
CVE-2026-40618Shared CWE-131
CVE-2024-8361Shared CWE-131
CVE-2026-29645Shared CWE-131
CVE-2024-11425Shared CWE-131
CVE-2026-1949Shared CWE-131
CVE-2026-20911Shared CWE-131
CVE-2025-1861Shared CWE-131
CVE-2025-62550Shared CWE-131
CVE-2026-1188Shared CWE-131

Affected Assets

pixarra
twistedbrush pro studio
24.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the DoS by validating and rejecting excessively large inputs like the 500,000-character string in the Script Recorder Description field.

prevent

Enforces restrictions on input quantity and size at application interfaces to block oversized buffers that crash the Script Recorder component.

prevent

Ensures graceful error handling for invalid large buffers, preventing application crashes from improper buffer management in the Script Recorder.

References