How to fix CVE-2025-36853?

Within 7 days: Identify all affected systems and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Is Heap Overflow affected by CVE-2025-36853?

CVE-2025-36853 presents notable security risk, a heap-based buffer overflow vulnerability rated CVSS 7.5. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2025-36853

HIGH

2025-09-08 36c7be3b-2937-45df-85ea-ca7133ea542c

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

CVE Published

Sep 08, 2025 - 14:15 nvd

HIGH 7.5

Description

A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().‍ Per CWE-190: Integer Overflow or Wraparound, is when a product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

Analysis

A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Technical Context

This vulnerability is classified under CWE-122. A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().‍ Per CWE-190: Integer Overflow or Wraparound, is when a product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

Affected Products

See vendor advisory for affected versions.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-36853 vulnerability details – vuln.today

Back

CVE-2025-36853

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-36853

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code