CVE-2025-37178

Medium

Published: 13 January 2026

Published

13 January 2026

Modified

23 January 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0006 19.5th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37178 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Out-of-bounds read via crafted network input directly enables application/system crash for DoS (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this…

can result in a crash of the affected process and a potential denial-of-service of the compromised process.

Deeper analysisAI

CVE-2025-37178 involves multiple out-of-bounds read vulnerabilities (CWE-125) in a system component responsible for handling certain data buffers. The flaws arise from insufficient validation of maximum buffer size values, allowing the process to attempt reads beyond the intended memory region under specific conditions. This can result in a crash of the affected process. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and was published on 2026-01-13T20:16:05.983.

Remote attackers without privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By providing crafted input that bypasses buffer size checks, an attacker can trigger the out-of-bounds read, causing the affected process to crash and potentially leading to a denial-of-service condition limited to low availability impact with no confidentiality or integrity effects.

The HPE security bulletin provides further details on the issue, available at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.

Details

CWE(s): CWE-125

Affected Products

arubanetworks

arubaos

8.6.0.0 — 8.10.0.21 · 8.11.0.0 — 8.13.1.1

CVEs Like This One

CVE-2025-37175Same product: Arubanetworks Arubaos

CVE-2025-37173Same product: Arubanetworks Arubaos

CVE-2025-37169Same product: Arubanetworks Arubaos

CVE-2025-37176Same product: Arubanetworks Arubaos

CVE-2025-37170Same product: Arubanetworks Arubaos

CVE-2025-37174Same product: Arubanetworks Arubaos

CVE-2025-37171Same product: Arubanetworks Arubaos

CVE-2025-37172Same product: Arubanetworks Arubaos

CVE-2025-37168Same product: Arubanetworks Arubaos

CVE-2025-0612Shared CWE-125

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US
Vendor Advisory · security-alert@hpe.com