CVE-2025-11015: 
Linux Debian vulnerability analysis and mitigation

A vulnerability has been identified in OGRECave Ogre versions up to 14.4.1, tracked as CVE-2025-11015. The issue affects the STBIImageCodec::encode function in the file /ogre/PlugIns/STBICodec/src/OgreSTBICodec.cpp, where mismatched memory management routines can lead to potential security issues. The vulnerability was disclosed on September 26, 2025 (NVD).

The vulnerability stems from a memory management mismatch in the STBIImageCodec::encode function. Specifically, the stbiwritepngtomem() function allocates its output buffer using malloc (via STBIW_MALLOC), which is then wrapped inside MemoryDataStream(data, len, true). The MemoryDataStream assumes ownership and attempts to free the memory using delete[], leading to an incompatible allocator usage. This mismatch between malloc and delete[] results in undefined behavior that can be detected by AddressSanitizer as an alloc-dealloc-mismatch (GitHub Issue).

The vulnerability has been assigned a CVSS v4.0 score of 4.8 (Medium), with a CVSS v3.1 Base Score of 5.3 (Medium). The attack is restricted to local execution and requires local access to be exploited. The vulnerability affects confidentiality, integrity, and availability at a low level (NVD).

The issue has been marked as 'wontfix' by the development team, citing that the fix would make the software much more complex and less maintainable (GitHub Issue).