Skip to main content

Mumble CVE-2025-71264

| EUVDEUVD-2025-208685 LOW
Out-of-bounds Read (CWE-125)
2026-03-16 mitre
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 07:00 euvd
EUVD-2025-208685
Analysis Generated
Mar 16, 2026 - 07:00 vuln.today
CVE Published
Mar 16, 2026 - 06:13 nvd
LOW 3.7

DescriptionCVE.org

Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).

AnalysisAI

Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.

Technical ContextAI

Mumble is an open-source VoIP application that handles real-time voice communication over network protocols. The vulnerability stems from improper bounds checking in array access operations, classified under CWE-125 (Out-of-bounds Read), which occurs when the application attempts to read memory beyond the allocated boundaries of an array without proper validation. This memory safety issue is common in C/C++-based applications and can be triggered through specially crafted network packets sent to the Mumble client. The affected versions prior to 1.6.870 fail to validate packet structure or array indices before processing incoming protocol data, making remote triggering feasible over the network (AV:N in CVSS vector).

RemediationAI

Upgrade Mumble to version 1.6.870 or later immediately, as this version contains the fix for the out-of-bounds array access vulnerability. Download the patched version from the official Mumble project repository or your distribution's package manager. If immediate patching is not feasible, implement network-level mitigations by restricting Mumble client connections to known, trusted Mumble servers through firewall rules and host-based access controls, thereby reducing exposure to malicious or compromised servers that might send crafted packets. Additionally, monitor Mumble client processes for unexpected crashes and maintain offline communication fallback procedures during patching windows.

Vendor StatusVendor

Debian

Bug #1129178
mumble
Release Status Fixed Version Urgency
bullseye vulnerable 1.3.4-1 -
bookworm vulnerable 1.3.4-4 -
trixie vulnerable 1.5.735-5 -
forky, sid fixed 1.5.735-8 -
(unstable) fixed 1.5.735-7 -

Share

CVE-2025-71264 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy