CVE-2025-5222

HIGH

International Components For Unicode < 77.1 - Buffer Overflow

Title source: rule

Description

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

Exploits (1)

nomisec WRITEUP 1 stars

by berkley4 · poc

https://github.com/berkley4/icu-74-debian

View Code ZIP pw:eip

References (9)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:11888

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:12083

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:12331

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:12332

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:12333

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-5222

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2368600

https://unicode-org.atlassian.net/jira/software/c/projects/ICU/issues/ICU-22957

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html

Scores

CVSS v3 7.0

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-120

Status published

Products (10)

Red Hat/Red Hat Enterprise Linux 10 0:74.2-5.el10_0

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9 0:67.1-10.el9_6

Red Hat/Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions 0:67.1-10.el9_0

Red Hat/Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions 0:67.1-10.el9_2

Red Hat/Red Hat Enterprise Linux 9.4 Extended Update Support 0:67.1-10.el9_4

Red Hat/Red Hat OpenShift Container Platform 4

unicode/international_components_for_unicode < 77.1

Published May 27, 2025

Tracked Since Feb 18, 2026