Skip to main content

Cobalt CVE-2025-7999

HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2025-09-17 zdi-disclosures@trendmicro.com
7.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:12 vuln.today
CVE Published
Sep 17, 2025 - 21:15 nvd
HIGH 7.8

DescriptionCVE.org

Ashlar-Vellum Cobalt AR File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26049.

AnalysisAI

Ashlar-Vellum Cobalt AR File Parsing Type Confusion Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Access of Resource Using Incompatible Type (Type Confusion) (CWE-843), which allows attackers to execute arbitrary code by exploiting type confusion in the application. Ashlar-Vellum Cobalt AR File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26049. Affected products include: Ashlar Cobalt.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Enforce strict type checking, use type-safe languages, validate object types before operations.

More in Cobalt

View all
CVE-2023-39943 HIGH
8.4 Feb 04

In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of

CVE-2023-40222 HIGH
8.4 Feb 04

In Ashlar-Vellum Cobalt versions prior to v12 SP2 Build (1204.200), the affected application lacks proper validation of

CVE-2025-65088 HIGH
8.4 May 12

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions

CVE-2025-65087 HIGH
8.4 May 12

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions

CVE-2025-65086 HIGH
8.4 May 12

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share version

CVE-2024-13049 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt XE File Parsing Type Confusion Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8),

CVE-2024-13048 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt XE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. Rated high severity (CVSS

CVE-2024-13047 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8),

CVE-2024-13046 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt CO File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. Rated high severity (CVSS

CVE-2024-13045 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt AR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. Rated high severit

CVE-2024-13044 HIGH
7.8 Dec 30

Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. Rated high severity (CVSS

CVE-2023-39427 HIGH
7.8 Oct 26

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share v12 SP0 Build (1204.77), the affected applications lack

Share

CVE-2025-7999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy