{"id":"CVE-2025-47256","details":"Libxmp through 4.6.2 has a stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file.","modified":"2026-04-10T05:30:01.507124Z","published":"2025-05-06T20:15:27.177Z","related":["openSUSE-SU-2025:15081-1"],"references":[{"type":"WEB","url":"https://github.com/libxmp/libxmp/blob/ec22d1c7b93c8f681f8504a6c61c6f8a52458a10/src/loaders/prowizard/pha.c#L35"},{"type":"REPORT","url":"https://github.com/libxmp/libxmp/issues/847"},{"type":"PACKAGE","url":"https://github.com/GCatt-AS/CVE-2025-47256"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libxmp/libxmp","events":[{"introduced":"0"},{"last_affected":"828ef357943e1fbb13910e7a6fca21987c5c5827"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.6.2"}]}}],"versions":["2.2.0","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.5.0","2.5.1","2.7.0","2.7.0-win32-amigaconf.patch","2.7.1","3.0.0","3.0.0-pre1","3.1.0","3.2.0","3.3.0","3.4.0","3.4.1","3.5.0","android-1.0.1","android-1.1","android-1.2","android-1.9","android-1.9.1","android-1.9.2","android-1.9.3","android-1.9.4","android-1.9.5","android-2.0.0","android-2.0.1","android-2.0.2","android-2.0.3","android-2.1.0","android-2.1.1","android-2.2.0","android-2.3.0","android-2.4.0","android-2.9.0","android-2.9.1","android-2.9.2","android-3.0.0","android-3.0.1","android-3.0.2","android-3.1.1","android-3.1.2","android-3.2.0","android-3.2.1","android-3.3.0","android-3.4.0","android-3.4.1","android-3.4.2","android-3.4.3","android-3.4.4","android-3.5.0","android-3.6.0","android-3.6.2","api-4.0","git_import","import","libxmp-3.9.0","libxmp-3.9.1","libxmp-3.9.4","libxmp-4.0.0","libxmp-4.0.1","libxmp-4.0.2","libxmp-4.0.3","libxmp-4.0.4","libxmp-4.1.0","libxmp-4.1.1","libxmp-4.1.2","libxmp-4.1.3","libxmp-4.1.4","libxmp-4.1.5","libxmp-4.2.0","libxmp-4.2.1","libxmp-4.2.2","libxmp-4.2.3","libxmp-4.2.4","libxmp-4.2.5","libxmp-4.2.6","libxmp-4.2.7","libxmp-4.2.8","libxmp-4.3.0","libxmp-4.3.1","libxmp-4.3.10","libxmp-4.3.11","libxmp-4.3.12","libxmp-4.3.13","libxmp-4.3.2","libxmp-4.3.3","libxmp-4.3.4","libxmp-4.3.5","libxmp-4.3.6","libxmp-4.3.7","libxmp-4.3.8","libxmp-4.3.9","libxmp-4.4.0","libxmp-4.4.1","libxmp-4.5.0","libxmp-4.6.0","libxmp-4.6.1","libxmp-4.6.2","v2.6.0","v2.6.1","v2.6.2","xmp-3.9.0","xmp-3.9.1","xmp-4.0.0","xmp-4.0.1","xmp-4.0.2","xmp-4.0.3","xmp-4.0.4","xmp-4.0.5","xmp-4.0.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47256.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L"}]}