CVE-2025-2338
Published: 16 March 2025
Summary
CVE-2025-2338 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Matio Project Matio. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the known heap-based buffer overflow vulnerability in tbeu/matio 1.5.28 by requiring timely patching or upgrading of the affected software component.
Implements memory protections such as ASLR, DEP, and heap canaries that directly mitigate exploitation of heap buffer overflows like the one in strdup_vprintf.
Validates untrusted inputs before processing by the vulnerable matio library function, reducing the risk of malformed data triggering the buffer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap-based buffer overflow in file parsing library (matio) triggered by malicious .mat file enables client-side exploitation for code execution/memory corruption.
NVD Description
A vulnerability, which was classified as critical, was found in tbeu matio 1.5.28. Affected is the function strdup_vprintf of the file src/io.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has…
more
been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2338 is a heap-based buffer overflow vulnerability classified as critical in tbeu/matio version 1.5.28. The issue affects the strdup_vprintf function in the src/io.c file, where manipulation can trigger the overflow. It was published on 2025-03-16 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) with low attack complexity (AC:L), though it requires user interaction (UI:R), such as opening a malicious file processed by the affected component. Successful exploitation may result in low-impact confidentiality, integrity, and availability effects (C:L/I:L/A:L), potentially leading to memory corruption, denial of service, or limited data tampering depending on the context.
Advisories and details are documented in GitHub issues at https://github.com/tbeu/matio/issues/269 and https://github.com/tbeu/matio/issues/269#issue-2883920922, along with VulDB entries at https://vuldb.com/?ctiid.299802, https://vuldb.com/?id.299802, and https://vuldb.com/?submit.510781. The exploit has been publicly disclosed and may be used by attackers.
Notable context includes the public availability of the exploit, increasing the risk for systems using tbeu/matio 1.5.28 that process untrusted inputs.
Details
- CWE(s)