CVE-2025-48386

| EUVD-2025-20679 MEDIUM
2025-07-08 [email protected]
6.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 04:21 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 04:21 euvd
EUVD-2025-20679
CVE Published
Jul 08, 2025 - 19:15 nvd
MEDIUM 6.3

Tags

Buffer Overflow Ubuntu Debian Redhat Suse

Description

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Analysis

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Technical Context

A buffer overflow occurs when data written to a buffer exceeds its allocated size, potentially overwriting adjacent memory and corrupting program state. This vulnerability is classified as Classic Buffer Overflow (CWE-120).

Remediation

Use memory-safe languages or bounds-checked functions. Enable ASLR, DEP/NX, and stack canaries. Apply vendor patches promptly.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Vendor Status

Ubuntu

Priority: Medium
git
Release Status Version
bionic released 1:2.17.1-1ubuntu0.18+esm2
focal released 1:2.25.1-1ubuntu3.14+esm1
jammy released 1:2.34.1-1ubuntu1.13
noble released 1:2.43.0-1ubuntu7.3
oracular released 1:2.45.2-1ubuntu1.2
plucky released 1:2.48.1-0ubuntu1.1
upstream released 2.43.7
xenial released 1:2.7.4-0ubuntu1.10+esm9
USN-7626-1

Debian

git
Release Status Fixed Version Urgency
bullseye fixed 1:2.30.2-1+deb11u2 -
bullseye (security) fixed 1:2.30.2-1+deb11u5 -
bookworm fixed 1:2.39.5-0+deb12u3 -
bookworm (security) fixed 1:2.39.5-0+deb12u2 -
trixie fixed 1:2.47.3-0+deb13u1 -
forky fixed 1:2.51.0-1 -
sid fixed 1:2.53.0-1 -
(unstable) not-affected - -

Share

CVE-2025-48386 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy