CVE-2025-8854 - Vulnerability Details - OpenCVE

Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472
https://github.com/bulletphysics/bullet3/issues/4732

History

Mon, 11 Aug 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 11 Aug 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function.
Title		bullet3 VHACD utility: stack-based buffer overflow in OFF parser (LoadOFF)
Weaknesses		CWE-120
References		https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472 https://github.com/bulletphysics/bullet3/issues/4732
Metrics		cvssV4_0 `{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: CyberArk

Published: 2025-08-11T04:24:02.469Z

Updated: 2025-08-11T20:32:47.464Z

Reserved: 2025-08-11T03:59:29.801Z

Link: CVE-2025-8854

Vulnrichment

Updated: 2025-08-11T20:32:36.490Z

NVD

Status : Awaiting Analysis

Published: 2025-08-11T05:15:27.187

Modified: 2025-08-11T21:15:29.203

Link: CVE-2025-8854

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8854", "assignerOrgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "state": "PUBLISHED", "assignerShortName": "CyberArk", "dateReserved": "2025-08-11T03:59:29.801Z", "datePublished": "2025-08-11T04:24:02.469Z", "dateUpdated": "2025-08-11T20:32:47.464Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Extras/VHACD/test/src/main_vhacd.cpp"], "product": "bullet3", "vendor": "bulletphysics", "versions": [{"status": "affected", "version": "<= 3.25"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Simcha Kosman"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Stack-based buffer overflow in <code>LoadOFF</code> in bulletphysics <code>bullet3</code> before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's <code>vhacd</code> function."}], "value": "Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function."}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.4, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "shortName": "CyberArk", "dateUpdated": "2025-08-11T04:24:02.469Z"}, "references": [{"url": "https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472"}, {"url": "https://github.com/bulletphysics/bullet3/issues/4732"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-12-01T22:00:00.000Z", "value": "Initial vendor notification (no response)"}, {"lang": "en", "time": "2025-08-10T21:00:00.000Z", "value": "Public disclosure via GitHub issue"}], "title": "bullet3 VHACD utility: stack-based buffer overflow in OFF parser (LoadOFF)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"references": [{"url": "https://github.com/bulletphysics/bullet3/issues/4732", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T20:32:43.547693Z", "id": "CVE-2025-8854", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T20:32:47.464Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8854", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-11T20:32:43.547693Z"}}}], "references": [{"url": "https://github.com/bulletphysics/bullet3/issues/4732", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T20:32:36.490Z"}}], "cna": {"title": "bullet3 VHACD utility: stack-based buffer overflow in OFF parser (LoadOFF)", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Simcha Kosman"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.4, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "bulletphysics", "modules": ["Extras/VHACD/test/src/main_vhacd.cpp"], "product": "bullet3", "versions": [{"status": "affected", "version": "<= 3.25"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-12-01T22:00:00.000Z", "value": "Initial vendor notification (no response)"}, {"lang": "en", "time": "2025-08-10T21:00:00.000Z", "value": "Public disclosure via GitHub issue"}], "references": [{"url": "https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472"}, {"url": "https://github.com/bulletphysics/bullet3/issues/4732"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function.", "supportingMedia": [{"type": "text/html", "value": "Stack-based buffer overflow in <code>LoadOFF</code> in bulletphysics <code>bullet3</code> before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's <code>vhacd</code> function.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "shortName": "CyberArk", "dateUpdated": "2025-08-11T04:24:02.469Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8854", "state": "PUBLISHED", "dateUpdated": "2025-08-11T20:32:47.464Z", "dateReserved": "2025-08-11T03:59:29.801Z", "assignerOrgId": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "datePublished": "2025-08-11T04:24:02.469Z", "assignerShortName": "CyberArk"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function."}, {"lang": "es", "value": "El desbordamiento de b\u00fafer basado en pila en LoadOFF en bulletphysics bullet3 anterior a 3.26 en todas las plataformas permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un archivo OFF manipulado con un token inicial demasiado largo procesado por la utilidad de prueba VHACD o invocado indirectamente a trav\u00e9s de la funci\u00f3n vhacd de PyBullet."}], "id": "CVE-2025-8854", "lastModified": "2025-08-11T21:15:29.203", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "type": "Secondary"}]}, "published": "2025-08-11T05:15:27.187", "references": [{"source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "url": "https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472"}, {"source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "url": "https://github.com/bulletphysics/bullet3/issues/4732"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/bulletphysics/bullet3/issues/4732"}], "sourceIdentifier": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "96148269-fe82-4198-b1bf-3a73ce8bc92e", "type": "Secondary"}]}