Cyber Resilience

CVE-2025-29070

High

Published: 01 April 2025

Published
01 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0059 69.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29070 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A heap buffer overflow vulnerability tracked as CVE-2025-29070 affects the smooth2() function in cmsgamma.c within Little CMS 2 (lcms2) version 2.16. The flaw is classified under CWE-122 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable conditions that can produce a denial of service without authentication or user interaction.

An unauthenticated remote attacker could supply crafted input to trigger the overflow and crash the affected process. The vendor disputes practical exploitability, stating that smooth2() is never invoked during normal color-management operations and exists solely as a helper for low-level debugging or investigation.

Public discussion in the referenced Little-CMS GitHub issues confirms the supplier's position that the function is not reached under ordinary use, with no vendor-supplied patch or mitigation steps indicated.

The associated EPSS probability rose from a low starting value to a peak of 0.0453 before receding to 0.0059, indicating a temporary increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never…

more

called on normal color management, is there only as a helper for low-level programming and investigation."

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References