CVE-2025-37178
Published: 13 January 2026
Summary
CVE-2025-37178 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2025-37178 involves multiple out-of-bounds read vulnerabilities (CWE-125) in a system component responsible for handling certain data buffers. The flaws arise from insufficient validation of maximum buffer size values, allowing the process to attempt reads beyond the intended memory region under specific conditions. This can result in a crash of the affected process. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and was published on 2026-01-13T20:16:05.983.
Remote attackers without privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By providing crafted input that bypasses buffer size checks, an attacker can trigger the out-of-bounds read, causing the affected process to crash and potentially leading to a denial-of-service condition limited to low availability impact with no confidentiality or integrity effects.
The HPE security bulletin provides further details on the issue, available at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2051
Vulnerability details
Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this…
more
can result in a crash of the affected process and a potential denial-of-service of the compromised process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read via crafted network input directly enables application/system crash for DoS (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of input buffer size values to block the crafted data that triggers out-of-bounds reads.
Applies memory-access protections that can detect or block reads beyond allocated buffer regions.
Isolates the vulnerable process so an out-of-bounds read crash cannot affect other system components.