CVE-2025-52456
Published: 25 August 2025
Summary
CVE-2025-52456 is a high-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Sail Sail. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 39.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer overflow and heap buffer overflow in SAIL library's WebP decoding by identifying, prioritizing, and applying patches or upgrades.
Implements memory protection mechanisms like address space layout randomization and heap canaries to prevent exploitation of the buffer overflow leading to RCE.
Validates WebP image inputs for size, structure, and stride calculations to block specially crafted animations from triggering the integer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in image decoder library enables client-side RCE via malicious .webp file requiring user execution.
NVD Description
A memory corruption vulnerability exists in the WebP Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards,…
more
this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
Deeper analysisAI
A memory corruption vulnerability, designated CVE-2025-52456, affects the WebP Image Decoding functionality in the SAIL Image Decoding Library version 0.9.8. The issue arises when processing a specially crafted .webp animation, triggering an integer overflow during stride calculation for decoding. This overflow subsequently causes a heap-based buffer overflow, potentially enabling remote code execution. The vulnerability is classified under CWE-680 (Integer Overflow or Wraparound) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthenticated attacker over the network can exploit this vulnerability with low complexity by convincing a user to load the malicious .webp file through an application that uses the affected SAIL library. User interaction is required, such as opening the file in a supporting image viewer or application. Successful exploitation could result in arbitrary code execution with the privileges of the affected process, compromising confidentiality, integrity, and availability with high impact.
For mitigation details, security practitioners should consult the primary advisory from Talos Intelligence at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2224. No specific patches are detailed in the available information.
Details
- CWE(s)