CVE-2025-62526: 
Linux Ubuntu vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-62526) was discovered in OpenWrt's ubusd component, affecting versions prior to 24.10.4. The vulnerability was identified in October 2025 and involves a heap buffer overflow in the event registration parsing code of ubusd, the central messaging daemon used for inter-process communication within OpenWrt (NVD, Security Online).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 7.8-7.9 (High). The flaw exists in the event registration parsing code where the affected code is executed before running the Access Control List (ACL) checks. The vulnerability allows for both heap corruption and ACL bypass, as the crafted subscription can circumvent the listen ACL controls (GitHub Advisory).

The vulnerability enables an attacker to modify the heap and potentially execute arbitrary code in the context of the ubus daemon. Since the vulnerable code executes before ACL checks, all ubus clients can send malicious messages, making the impact more severe. Additionally, the vulnerability allows for bypassing access control mechanisms (GitHub Advisory).

The vulnerability has been fixed in OpenWrt version 24.10.4 and all snapshot builds released since October 18th, 2025. There are no workarounds available for this vulnerability. Users of older versions like 23.05 and 22.03, which are end of life, are advised to upgrade as these versions no longer receive security support (GitHub Advisory).