CVE-2025-35984
Published: 25 August 2025
Summary
CVE-2025-35984 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Sail Sail. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the known heap buffer overflow flaw in the SAIL library, preventing exploitation via patching.
Implements memory protection features like ASLR, DEP, and heap isolation that directly mitigate heap-based buffer overflows and block remote code execution.
Mandates validation of untrusted image inputs to reject malformed .pcx files before they reach the vulnerable PCX decoding functionality.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in image decoder enables client-side RCE via malicious .pcx file requiring user execution.
NVD Description
A memory corruption vulnerability exists in the PCX Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code…
more
execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
Deeper analysisAI
CVE-2025-35984 is a memory corruption vulnerability in the PCX Image Decoding functionality of the SAIL Image Decoding Library version 0.9.8. The issue arises as a heap-based buffer overflow (CWE-122) during the decoding of image data from a specially crafted .pcx file, which can enable remote code execution. Published on 2025-08-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no required privileges, but it necessitates user interaction. Specifically, the attacker must convince a victim to load the malicious .pcx file into an application that uses the vulnerable library for image decoding. Successful exploitation allows the attacker to achieve remote code execution with high impacts on confidentiality, integrity, and availability.
Mitigation details and additional technical analysis are available in the Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2217.
Details
- CWE(s)