CVE-2025-15533
Published: 18 January 2026
Summary
CVE-2025-15533 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Raylib Raylib. Its CVSS base score is 4.8 (Medium).
Operationally, ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15533 is a heap-based buffer overflow vulnerability in the GenImageFontAtlas function within the src/rtext.c file of the raylib library developed by raysan5, affecting versions up to commit 909f040. This flaw, classified under CWE-119 and CWE-122, arises from improper memory buffer handling during font atlas generation.
The vulnerability requires local access and low privileges (PR:L) to exploit, with low attack complexity and no user interaction needed, as per its CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A local attacker can trigger the buffer overflow through crafted input, potentially achieving limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or denial of service.
Mitigation is available via the patch in commit 5a3391fdce046bc5473e52afbd835dd2dc127146, accessible through the official raylib GitHub repository. Security advisories, including GitHub issue #5433 and pull request #5450, recommend updating to the patched version to resolve the issue.
The exploit has been publicly disclosed, with a proof-of-concept available in a third-party repository, increasing the risk of utilization by local attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3187
Vulnerability details
A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit…
more
has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the available patch (commit 5a3391f) to eliminate the heap buffer overflow in GenImageFontAtlas.
Enforces memory protection mechanisms that can prevent exploitation of the heap-based buffer overflow (CWE-122) during font atlas generation.
Requires validation of untrusted input to the GenImageFontAtlas function, mitigating the improper buffer handling root cause.