Cyber Resilience

CVE-2025-15533

MediumPublic PoC

Published: 18 January 2026

Published
18 January 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 3.3th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15533 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Raylib Raylib. Its CVSS base score is 4.8 (Medium).

Operationally, ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-15533 is a heap-based buffer overflow vulnerability in the GenImageFontAtlas function within the src/rtext.c file of the raylib library developed by raysan5, affecting versions up to commit 909f040. This flaw, classified under CWE-119 and CWE-122, arises from improper memory buffer handling during font atlas generation.

The vulnerability requires local access and low privileges (PR:L) to exploit, with low attack complexity and no user interaction needed, as per its CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A local attacker can trigger the buffer overflow through crafted input, potentially achieving limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or denial of service.

Mitigation is available via the patch in commit 5a3391fdce046bc5473e52afbd835dd2dc127146, accessible through the official raylib GitHub repository. Security advisories, including GitHub issue #5433 and pull request #5450, recommend updating to the patched version to resolve the issue.

The exploit has been publicly disclosed, with a proof-of-concept available in a third-party repository, increasing the risk of utilization by local attackers.

EU & UK References

Vulnerability details

A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit…

more

has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15534Same product: Raylib Raylib
CVE-2025-1788Shared CWE-119, CWE-122
CVE-2024-45421Shared CWE-119, CWE-122
CVE-2026-1145Shared CWE-119, CWE-122
CVE-2026-3281Shared CWE-119, CWE-122
CVE-2026-3463Shared CWE-119, CWE-122
CVE-2025-2757Shared CWE-119, CWE-122
CVE-2025-8178Shared CWE-119, CWE-122
CVE-2026-5244Shared CWE-119, CWE-122
CVE-2025-2337Shared CWE-119, CWE-122

Affected Assets

raylib
raylib
≤ 2026-01-01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patch (commit 5a3391f) to eliminate the heap buffer overflow in GenImageFontAtlas.

prevent

Enforces memory protection mechanisms that can prevent exploitation of the heap-based buffer overflow (CWE-122) during font atlas generation.

prevent

Requires validation of untrusted input to the GenImageFontAtlas function, mitigating the improper buffer handling root cause.

References