Skip to main content

CVE-2025-69720

HIGH
Classic Buffer Overflow (CWE-120)
2026-03-19 mitre
High
Disputed · 7.3 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
7.8 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 08:30 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 15:00 vuln.today
CVE Published
Mar 19, 2026 - 00:00 nvd
HIGH 7.3

DescriptionCVE.org

ncurses v6.5 and v6.4 are vulnerable to Buffer Overflow in progs/infocmp.c, function analyze_string().

AnalysisAI

A buffer overflow vulnerability exists in ncurses versions 6.4 and 6.5 within the infocmp utility's analyze_string() function in progs/infocmp.c. This vulnerability allows an attacker to trigger a buffer overflow by providing maliciously crafted input to the infocmp program, potentially leading to denial of service or arbitrary code execution. A proof-of-concept exploit has been publicly released on GitHub, increasing the practical risk of exploitation.

Technical ContextAI

ncurses is a widely-used C library providing terminal control and text-based user interface capabilities across Unix-like systems. The infocmp utility is a command-line tool included with ncurses that compares and analyzes terminfo database entries. The vulnerability resides in the analyze_string() function within progs/infocmp.c, which processes terminal capability strings without proper bounds checking. This is a classic CWE-120 (Buffer Copy without Checking Size of Input) or CWE-121 (Stack-based Buffer Overflow) vulnerability where input string processing fails to validate length constraints before writing to a fixed-size buffer. The affected products are identified under ncurses through the generic CPE reference, with confirmed impact on versions 6.4 and 6.5.

RemediationAI

Upgrade ncurses to version 6.6 or later when available from your distribution. Users should check their vendor's ncurses package repository for patched versions addressing CVE-2025-69720. As an interim measure, limit access to the infocmp utility through file permissions or remove it entirely if not required for production operations. If infocmp must remain available, restrict its execution through AppArmor, SELinux, or similar mandatory access control mechanisms to prevent exploitation of the buffer overflow. Monitor system logs for unexpected infocmp invocations or crashes. Refer to your Linux distribution's security advisory (e.g., from Ubuntu, Debian, Red Hat) for specific patch availability and timelines.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2025-69720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy