CVE-2025-29070
Published: 01 April 2025
Summary
CVE-2025-29070 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A heap buffer overflow vulnerability tracked as CVE-2025-29070 affects the smooth2() function in cmsgamma.c within Little CMS 2 (lcms2) version 2.16. The flaw is classified under CWE-122 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable conditions that can produce a denial of service without authentication or user interaction.
An unauthenticated remote attacker could supply crafted input to trigger the overflow and crash the affected process. The vendor disputes practical exploitability, stating that smooth2() is never invoked during normal color-management operations and exists solely as a helper for low-level debugging or investigation.
Public discussion in the referenced Little-CMS GitHub issues confirms the supplier's position that the function is not reached under ordinary use, with no vendor-supplied patch or mitigation steps indicated.
The associated EPSS probability rose from a low starting value to a peak of 0.0453 before receding to 0.0059, indicating a temporary increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9489
Vulnerability details
A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never…
more
called on normal color management, is there only as a helper for low-level programming and investigation."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.