Cyber Resilience

CVE-2025-32743

Critical

Published: 10 April 2025

Published
10 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 52.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32743 is a critical-severity Missing Report of Error Condition (CWE-392) vulnerability in Notion (inferred from references). Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash)…

more

or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Notion
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-392

Mandates alerting on audit failures, directly providing the missing report of the error condition.

addresses: CWE-392

Reporting the security and privacy status to organizational officials ensures monitoring and assessment results are communicated rather than omitted.

addresses: CWE-392

Requires reporting and escalation of error conditions and incidents per documented procedures.

addresses: CWE-392

IR testing would expose missing error reporting that prevents timely incident detection and response.

addresses: CWE-392

Offers direct support for reporting incidents, addressing the failure to report error conditions or security events.

addresses: CWE-392

Includes explicit reporting of security status and analysis results, addressing missing reports of error or monitoring conditions.

References