CVE-2025-11964

/* CVE-2025-11964 PoC - libpcap utf_16le_to_utf_8_truncated() Buffer Overflow Target: libpcap on Windows Note: This PoC demonstrates the vulnerability concept, requires local access Author: Generated for educational purposes */ #include <windows.h> #include <stdio.h> // Simulated vulnerable function (simplified version) // The actual vulnerable function is in libpcap's charset.c void utf_16le_to_utf_8_truncated_demo(WCHAR* input, char* output, int output_size) { int j = 0; for (int i = 0; input[i] != 0; i++) { DWORD codepoint = input[i]; // UTF-8 encoding - 4-byte sequences for codepoints > 0xFFFF if (codepoint > 0xFFFF) { // BUG: No proper bounds checking for output buffer // This writes 4 bytes without verifying j+4 < output_size output[j++] = 0xF0 | ((codepoint >> 18) & 0x07); output[j++] = 0x80 | ((codepoint >> 12) & 0x3F); output[j++] = 0x80 | ((codepoint >> 6) & 0x3F); output[j++] = 0x80 | (codepoint & 0x3F); } else if (codepoint > 0x7FF) { if (j + 2 >= output_size) break; output[j++] = 0xE0 | ((codepoint >> 12) & 0x0F); output[j++] = 0x80 | ((codepoint >> 6) & 0x3F); } else if (codepoint > 0x7F) { if (j + 1 >= output_size) break; output[j++] = 0xC0 | ((codepoint >> 6) & 0x1F); } else { if (j >= output_size) break; output[j++] = (char)codepoint; } } output[j] = '\0'; } int main() { printf("CVE-2025-11964 PoC - libpcap UTF-8 Buffer Overflow\n"); printf("=================================================\n\n"); // Create input with 4-byte UTF-8 characters WCHAR utf16_input[] = { 0xD83D, 0xDE00, 0x0000 }; // 😀 emoji in UTF-16 // Small output buffer - will overflow char output[3] = {0}; int output_size = 3; printf("Input: Unicode character requiring 4-byte UTF-8\n"); printf("Output buffer size: %d bytes\n", output_size); printf("Expected UTF-8 size: 4 bytes\n\n"); printf("Before overflow:\n"); for (int i = 0; i < 8; i++) { printf("output[%d] = 0x%02X\n", i, (unsigned char)output[i]); } // Trigger the vulnerable code path utf_16le_to_utf_8_truncated_demo(utf16_input, output, output_size); printf("\nAfter calling vulnerable function:\n"); for (int i = 0; i < 8; i++) { printf("output[%d] = 0x%02X", i, (unsigned char)output[i]); if (i >= output_size) printf(" <-- BUFFER OVERFLOW!"); printf("\n"); } return 0; }

{"cve": {"id": "CVE-2025-11964", "sourceIdentifier": "[email protected]", "published": "2025-12-31T01:15:54.667", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "On Windows only, if libpcap needs to convert a Windows error message to UTF-8 and the message includes characters that UTF-8 represents using 4 bytes, utf_16le_to_utf_8_truncated() can write data beyond the end of the provided buffer."}, {"lang": "es", "value": "Solo en Windows, si libpcap necesita convertir un mensaje de error de Windows a UTF-8 y el mensaje incluye caracteres que UTF-8 representa usando 4 bytes, utf_16le_to_utf_8_truncated() puede escribir datos más allá del final del búfer proporcionado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69", "source": "[email protected]"}]}}