How to fix CVE-2025-6140?

During next maintenance window: Apply vendor patches when convenient. Verify denial of service controls are in place.

Is Ubuntu affected by CVE-2025-6140?

CVE-2025-6140 is a low-severity vulnerability in spdlog involving resource exhaustion (CVSS 3.3). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. A patch is available and can be applied during standard maintenance windows.

CVE-2025-6140

EUVD-2025-18431 LOW

2025-06-16 [email protected]

3.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18431

Patch Released

Mar 14, 2026 - 21:59 nvd

Patch available

PoC Detected

Jul 02, 2025 - 18:58 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 22:16 nvd

LOW 3.3

Description

A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 1.15.2 is able to address this issue. The identifier of the patch is 10320184df1eb4638e253a34b1eb44ce78954094. It is recommended to upgrade the affected component.

Analysis

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400).

Affected Products

Affected products: Gabime Spdlog

Remediation

A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +16

POC: +20

Vendor Status

Ubuntu

Priority: Medium

spdlog

Release	Status	Version
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	released	1:1.15.2+ds-1
plucky	ignored	end of life, was needs-triage
oracular	ignored	end of life, was needs-triage
questing	not-affected	1:1.15.3+ds-1

Debian

spdlog

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1:1.8.1+ds-2.1	-
bookworm	vulnerable	1:1.10.0+ds-0.4	-
trixie	fixed	1:1.15.2+ds-2	-
forky, sid	fixed	1:1.15.3+ds-1	-
(unstable)	fixed	1:1.15.2+ds-1	-

CVE-2025-6140 vulnerability details – vuln.today

Back

CVE-2025-6140

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-6140

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code