{"id":"CVE-2025-4638","details":"A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic.\n\nSince version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.","modified":"2026-04-10T05:31:45.459586Z","published":"2025-05-14T18:15:33.597Z","related":["MGASA-2025-0162"],"references":[{"type":"WEB","url":"https://github.com/PointCloudLibrary/pcl/blob/master/surface/CMakeLists.txt#L70"},{"type":"FIX","url":"https://github.com/PointCloudLibrary/pcl/commit/502bd2b013ce635f21632d523aa8cf2e04f7b7ac"},{"type":"FIX","url":"https://github.com/PointCloudLibrary/pcl/pull/6245"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pointcloudlibrary/pcl","events":[{"introduced":"0"},{"fixed":"f62c018b4fc7df3dc2c096918a8462a190f28bb8"},{"fixed":"502bd2b013ce635f21632d523aa8cf2e04f7b7ac"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.14.0"}]}}],"versions":["pcl-1.0-ros","pcl-1.10.0","pcl-1.10.1","pcl-1.11.0","pcl-1.11.1","pcl-1.11.1-rc1","pcl-1.11.1-rc2","pcl-1.12.0","pcl-1.12.0-rc1","pcl-1.12.1","pcl-1.13.0","pcl-1.13.0-rc1","pcl-1.13.1","pcl-1.13.1-rc1","pcl-1.14.0-rc1","pcl-1.8.0","pcl-1.8.0rc1","pcl-1.8.0rc2","pcl-1.9.0","pcl-1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-4638.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}