SB20260424106 - Multiple vulnerabilities in OpenWrt

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2025-62526)

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to heap-based buffer overflow in the event registration parsing code when parsing crafted subscription messages. A local user can send a specially crafted message to execute arbitrary code.

The affected code is reached before ACL checks, and the crafted subscription also bypasses the listen ACL.

2) Out-of-bounds read (CVE-ID: CVE-2025-62525)

The vulnerability allows a local user to read and write arbitrary kernel memory.

The vulnerability exists due to improper input validation in the ltq-ptm driver ioctls when processing ioctl requests. A local user can send crafted ioctl requests to read and write arbitrary kernel memory.

The issue affects systems using the ltq-ptm driver for DSL datapath operation in PTM mode on supported lantiq targets.

Remediation

Install update from vendor's website.

References

• https://github.com/openwrt/openwrt/security/advisories/GHSA-cp32-65v4-cp73
• https://openwrt.org/advisory/2025-10-22-1
• https://github.com/openwrt/openwrt/security/advisories/GHSA-h427-frpr-7cqr
• https://openwrt.org/advisory/2025-10-22-2