Cyber Resilience

CVE-2025-35984

HighPublic PoC

Published: 25 August 2025

Published
25 August 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0047 65.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-35984 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sail Sail. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-35984 is a memory corruption vulnerability in the PCX Image Decoding functionality of the SAIL Image Decoding Library version 0.9.8. The issue arises as a heap-based buffer overflow (CWE-122) during the decoding of image data from a specially crafted .pcx file, which can enable remote code execution. Published on 2025-08-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, but it necessitates user interaction. Specifically, the attacker must convince a victim to load the malicious .pcx file into an application that uses the vulnerable library for image decoding. Successful exploitation allows the attacker to achieve remote code execution with high impacts on confidentiality, integrity, and availability.

Mitigation details and additional technical analysis are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2217.

EU & UK References

Vulnerability details

A memory corruption vulnerability exists in the PCX Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code…

more

execution. An attacker will need to convince the library to read a file to trigger this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in image decoder enables client-side RCE via malicious .pcx file requiring user execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53085Same product: Sail Sail
CVE-2025-50129Same product: Sail Sail
CVE-2026-27168Same product: Sail Sail
CVE-2025-53510Same product: Sail Sail
CVE-2025-32468Same product: Sail Sail
CVE-2025-52930Same product: Sail Sail
CVE-2025-52456Same product: Sail Sail
CVE-2025-46407Same product: Sail Sail
CVE-2025-21395Shared CWE-122
CVE-2026-34629Shared CWE-122

Affected Assets

sail
sail
0.9.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, and remediation of the known heap buffer overflow flaw in the SAIL library, preventing exploitation via patching.

prevent

Implements memory protection features like ASLR, DEP, and heap isolation that directly mitigate heap-based buffer overflows and block remote code execution.

prevent

Mandates validation of untrusted image inputs to reject malformed .pcx files before they reach the vulnerable PCX decoding functionality.

References