Vulnerability DatabaseCVE-2025-31344

CVE-2025-31344:
OpenJDK JDK vulnerability analysis and mitigation

Overview

A heap-based buffer overflow vulnerability (CVE-2025-31344) was discovered in giflib through version 5.2.2. The vulnerability exists in the DumpScreen2RGB function of the gif2rgb utility on Linux systems, specifically in the gif2rgb.C file (NVD, OSS Security).

Technical details

The vulnerability occurs in the DumpScreen2RGB function when accessing the color map through ColorMapEntry. The size of ColorMap is 6 bytes (from 0x602000000030 to 0x602000000036), but when accessing ColorMap->Colors[GifRow[j]], the value of GifRow[j] exceeds the actual number of colors stored. The address pointed to by ColorMapEntry (0x602000000039) goes beyond the allocated memory range for color data, causing out-of-bounds access when accessing ColorMapEntry->Red. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H (OSS Security).

Impact

The heap-buffer overflow vulnerability can lead to potential system compromise through local access, with impacts on confidentiality, integrity, and high impact on availability as indicated by the CVSS score. The vulnerability affects the gif2rgb utility, which is shipped with various Linux distributions including Ubuntu (OSS Security).

Mitigation and workarounds

A patch has been provided by Bernhard Rosenkränzer to address the vulnerability. Some distributions, like Red Hat, have chosen to remove the gif2rgb tool entirely as a mitigation strategy, considering it "old and crappy code" according to the giflib maintainer. Alternatively, users can use ImageMagick or similar tools for GIF to RGB conversion, though there are noted limitations with these alternatives (OSS Security, OpenMandriva Patch).

Community reactions

The vulnerability has generated significant discussion in the security community, with some researchers noting that this issue was previously reported in 2016 but wasn't completely fixed. Sebastian Pipping has highlighted that there are multiple security issues in giflib beyond this CVE, suggesting a need for collaborative repair rather than removal of the affected components (OSS Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.3

Score

Published April 14, 2025

Severity HIGH

CNA Score 7.3

Affected Technologies

OpenJDK JDK
CBL Mariner

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 2.5

Exploitation Probability (EPSS) N/A

Affected packages and libraries

java-1.8.0-openjdk-accessibility-slowdebug
java-1.8.0-openjdk-devel-debug

Sources

NVD
Alpine Security Tracker
- Alpine 3.21, edge Severity HIGHHas FixAdded at: Apr 10, 2025
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity HIGHHas FixAdded at: Apr 27, 2025
- CBL-Mariner 3.0 Severity HIGHHas FixAdded at: May 04, 2025
Debian Security Tracker
- Debian 11, 12 Severity MEDIUMNo FixAdded at: Apr 09, 2025
- Debian 13 Severity HIGHNo FixAdded at: Apr 09, 2025
Red Hat Errata
- Red Hat 6, 7, 8, 9 Severity MEDIUMNo FixAdded at: Apr 15, 2025
- Red Hat 10 Severity MEDIUMNo FixAdded at: May 23, 2025