Cyber Resilience

CVE-2025-32468

HighPublic PoC

Published: 25 August 2025

Published
25 August 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0053 67.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32468 is a high-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Sail Sail. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 32.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-32468 is a memory corruption vulnerability in the BMPv3 Image Decoding functionality of the SAIL Image Decoding Library version 0.9.8. The issue arises when loading a specially crafted BMP file, triggering an integer overflow during stride calculation for decoding. This subsequently causes a heap-based buffer overflow, potentially leading to remote code execution. The vulnerability is classified under CWE-680 and received a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability by convincing a user or application to load a malicious BMP file through the affected library. No privileges are required, and the attack is network-accessible with low complexity, though it relies on user interaction such as opening the file. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, including the potential for remote code execution in the context of the decoding process.

Mitigation details are available in the Talos Intelligence advisory TALOS-2025-2216 at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2216.

EU & UK References

Vulnerability details

A memory corruption vulnerability exists in the BMPv3 Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards,…

more

this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Buffer overflow in image decoder library enables client-side RCE when user/application loads malicious BMP file (T1203 + T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53510Same product: Sail Sail
CVE-2025-52930Same product: Sail Sail
CVE-2025-46407Same product: Sail Sail
CVE-2025-52456Same product: Sail Sail
CVE-2025-35984Same product: Sail Sail
CVE-2025-53085Same product: Sail Sail
CVE-2025-50129Same product: Sail Sail
CVE-2026-27168Same product: Sail Sail
CVE-2026-8376Shared CWE-680
CVE-2025-54952Shared CWE-680

Affected Assets

sail
sail
0.9.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the integer overflow and heap buffer overflow in SAIL library's BMPv3 decoding by applying vendor patches or updates to version 0.9.8.

prevent

Implements memory protections like ASLR, DEP, and heap isolation to block remote code execution from the heap buffer overflow even if unpatched.

prevent

Validates BMP image inputs such as dimensions and stride values to block specially crafted files triggering the integer overflow during decoding.

References