{"id":"AZL-61836","summary":"CVE-2025-47436 affecting package orc 0.4.39-2","details":"Heap-based Buffer Overflow vulnerability in Apache ORC.\n\nA vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory corruption.\n\nThis issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 2.1.0 through 2.1.1.\n\nUsers are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.","modified":"2026-04-21T04:31:51.780905Z","published":"2025-05-14T14:15:30Z","upstream":["CVE-2025-47436"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-47436"}],"affected":[{"package":{"name":"orc","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/orc"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.4.39-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-61836.json"}}],"schema_version":"1.7.5"}