Cyber Resilience

CVE-2025-0838

Medium

Published: 21 February 2025

Published
21 February 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 31.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0838 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Abseil Common Libraries. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0838 is a heap buffer overflow vulnerability in the Abseil-cpp library (CWE-190: Integer Overflow or Wraparound). It affects the sized constructors, reserve(), and rehash() methods of absl::flat_hash_set, absl::flat_hash_map, absl::node_hash_set, and absl::node_hash_map. These methods failed to impose an upper bound on the size argument, enabling a caller to supply an excessively large value. This triggers an integer overflow when calculating the container's backing store size, leading to an out-of-bounds memory write, with subsequent container accesses potentially causing additional out-of-bounds reads or writes.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required (CVSS v3.1: 9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By passing a crafted large size argument to the vulnerable methods, the attacker induces the overflow and out-of-bounds write, which could result in arbitrary code execution, data corruption, or denial of service through memory corruption in applications relying on these Abseil-cpp hash container implementations.

Mitigation involves upgrading Abseil-cpp past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1, as detailed in the project's GitHub commit. Debian LTS has also announced updates addressing this issue in affected packages.

EU & UK References

Vulnerability details

There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a…

more

very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated heap buffer overflow enabling arbitrary code execution over the network in applications using the vulnerable library directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68670Same product: Debian Debian Linux
CVE-2024-40635Same product: Debian Debian Linux
CVE-2024-46981Same product: Debian Debian Linux
CVE-2025-30404Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2024-55656Shared CWE-190
CVE-2026-44673Shared CWE-190
CVE-2024-11347Shared CWE-190
CVE-2026-31649Shared CWE-190
CVE-2025-14308Shared CWE-190

Affected Assets

abseil
common libraries
≤ 20250127.0
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and remediation of software flaws, directly requiring upgrade of vulnerable Abseil-cpp past the specified commit to eliminate the integer overflow and heap buffer overflow.

prevent

SI-16 enforces memory protections such as non-executable memory regions and address space layout randomization to prevent exploitation of heap buffer overflows through unauthorized code execution or corruption.

prevent

SI-10 requires validation of information inputs like size arguments to Abseil-cpp hash container methods, preventing excessively large values that trigger the integer overflow.

References