#VU111136 NULL pointer dereference in omr - CVE-2025-1470


Vulnerability identifier: #VU111136

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-1470

CWE-ID: CWE-476

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
omr
Other software / Other software solutions

Vendor: Eclipse OMR

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

omr: 0.4.0

External links
https://github.com/eclipse-omr/omr/pull/7655
https://github.com/eclipse-omr/omr/pull/7663
https://gitlab.eclipse.org/security/cve-assignement/-/issues/54

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Storage Protect for Virtual Environments (Data Protection for VMware and Data Protection for Hyper-V)
Multiple vulnerabilities in IBM Storage Protect Backup-Archive Client
Multiple vulnerabilities in IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component
Multiple vulnerabilities in IBM Installation Manager and IBM Packaging Utility
NULL pointer dereference in Eclipse OMR