Which versions of Microsoft are affected by CVE-2019-25485?

Organizations using R 3.4.4 on Windows x64 should be aware of moderate risk from CVE-2019-25485, a out-of-bounds write vulnerability rated CVSS 6.2.

Is there a public PoC exploit available for CVE-2019-25485?

Yes, a public proof-of-concept exploit is available for CVE-2019-25485. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2019-25485?

Within 30 days: Identify affected systems running the GUI Preferences language menu field that allows local at and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Microsoft CVE-2019-25485

Q: What is the CVSS score of CVE-2019-25485?

CVE-2019-25485 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Out-of-bounds Write (CWE-787)

2026-03-11 disclosure@vulncheck.com

Buffer Overflow Memory Corruption Microsoft

6.9

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

6.2 (MEDIUM) 6.9 (MEDIUM)

Analysis Generated

Mar 12, 2026 - 22:07 vuln.today

PoC Detected

Mar 12, 2026 - 21:08 vuln.today

Public exploit code

CVE Published

Mar 11, 2026 - 19:16 nvd

MEDIUM 6.2

DescriptionNVD

R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. Attackers can inject a crafted payload through the Language for menus preference to trigger a structured exception handler chain pivot and execute arbitrary shellcode with application privileges.

AnalysisAI

R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. [CVSS 6.2 MEDIUM]

Technical ContextAI

Classified as CWE-787 (Out-of-bounds Write). Affects GUI Preferences language menu field. R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. Attackers can inject a crafted payload through the Language for menus preference to trigger a structured exception handler chain pivot and execute arbitrary shellcode with application privileges.