Is there a public PoC exploit available for CVE-2025-14958?

Yes, a public proof-of-concept exploit is available for CVE-2025-14958. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2025-14958?

Yes, a patch is available for CVE-2025-14958. Update the affected software to the latest version immediately.

floooh sokol CVE-2025-14958

Q: What is the CVSS score of CVE-2025-14958?

CVE-2025-14958 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Buffer Overflow (CWE-119)

2025-12-19 cna@vuldb.com

Buffer Overflow Sokol

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:49 vuln.today

DescriptionCVE.org

A security flaw has been discovered in floooh sokol up to 33e2271c431bf21de001e972f72da17a984da932. This vulnerability affects the function _sg_pipeline_common_init in the library sokol_gfx.h. Performing manipulation results in heap-based buffer overflow. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The patch is named 33e2271c431bf21de001e972f72da17a984da932. It is suggested to install a patch to address this issue.

AnalysisAI

Heap-based buffer overflow in sokol_gfx.h's _sg_pipeline_common_init function allows local authenticated attackers to corrupt memory with low impact on confidentiality, integrity, and availability. Exploitation requires local access and authenticated privileges but no user interaction. Publicly available exploit code exists, though EPSS scoring (0.03%) indicates minimal real-world exploitation probability despite low CVSS score.

Technical ContextAI

sokol is a lightweight graphics library written in C that abstracts graphics APIs. The vulnerability exists in the sokol_gfx.h header file, specifically in the _sg_pipeline_common_init function which handles initialization of graphics pipeline objects. The root cause is a heap-based buffer overflow (CWE-119) in buffer management during pipeline initialization. This suggests improper bounds checking when writing to dynamically allocated memory structures that hold pipeline configuration data. The attack vector is local (AV:L) with low complexity (AC:L), meaning an attacker with local system access can trigger the overflow without sophisticated techniques.

RemediationAI

Update to commit 33e2271c431bf21de001e972f72da17a984da932 or later from the official sokol repository (https://github.com/floooh/sokol). Since sokol uses a rolling-release model without formal versioned releases, users should pull the latest main branch code or the specific commit hash. No workarounds are available for in-use applications; applications using older builds of sokol_gfx.h must rebuild and redeploy. For development environments, ensure CI/CD pipelines pin to the patched commit or later. Applications that do not use graphics pipeline initialization or only run with elevated privileges may face reduced risk, but patching is still recommended.

CVE-2025-14958 vulnerability details – vuln.today

Back