CVE-2025-15533
Published: 18 January 2026
Summary
CVE-2025-15533 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Raylib Raylib. Its CVSS base score is 5.3 (Medium).
Operationally, ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. Executing a manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit…
more
has been publicly disclosed and may be utilized. This patch is called 5a3391fdce046bc5473e52afbd835dd2dc127146. Applying a patch is advised to resolve this issue.
Deeper analysisAI
CVE-2025-15533 is a heap-based buffer overflow vulnerability in the GenImageFontAtlas function within the src/rtext.c file of the raylib library developed by raysan5, affecting versions up to commit 909f040. This flaw, classified under CWE-119 and CWE-122, arises from improper memory buffer handling during font atlas generation.
The vulnerability requires local access and low privileges (PR:L) to exploit, with low attack complexity and no user interaction needed, as per its CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). A local attacker can trigger the buffer overflow through crafted input, potentially achieving limited impacts on confidentiality, integrity, and availability, such as partial data exposure, modification, or denial of service.
Mitigation is available via the patch in commit 5a3391fdce046bc5473e52afbd835dd2dc127146, accessible through the official raylib GitHub repository. Security advisories, including GitHub issue #5433 and pull request #5450, recommend updating to the patched version to resolve the issue.
The exploit has been publicly disclosed, with a proof-of-concept available in a third-party repository, increasing the risk of utilization by local attackers.
Details
- CWE(s)