EUVD-2025-209031

| CVE-2025-64646 MEDIUM
2026-03-25 ibm GHSA-6hcp-q563-cm49
6.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 20:47 euvd
EUVD-2025-209031
Analysis Generated
Mar 25, 2026 - 20:47 vuln.today
Patch Released
Mar 25, 2026 - 20:47 nvd
Patch available
CVE Published
Mar 25, 2026 - 20:35 nvd
MEDIUM 6.2

Tags

IBM Information Disclosure

Description

IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.

Analysis

IBM Concert versions 1.0.0 through 2.2.0 suffer from improper buffer resource clearing that allows local attackers to read sensitive information directly from process memory without requiring privileges or user interaction. This information disclosure vulnerability (CVSS 6.2) affects IBM Concert across multiple versions and has a vendor patch available, though no evidence of active exploitation or public proof-of-concept has been reported in the provided intelligence.

Technical Context

The vulnerability is rooted in CWE-14 (Improper Neutralization of Delimiters in Data Structures), which in this case manifests as a buffer memory management flaw. When IBM Concert allocates buffers during normal operations, the application fails to properly zero or clear sensitive data from memory before the buffer is released or reused. This is a classic information disclosure weakness where process memory containing credentials, keys, or other sensitive data remains accessible to an attacker with local system access. The affected product is IBM Concert (cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*), indicating all versions up through 2.2.0 are vulnerable. The local attack vector and lack of privilege requirement suggest this could be exploited by unprivileged local users or processes on the same system.

Affected Products

IBM Concert versions 1.0.0 through 2.2.0 are affected by this vulnerability, as confirmed by the CPE identifier cpe:2.3:a:ibm:concert:*:*:*:*:*:*:*:*. The vendor advisory is available at https://www.ibm.com/support/pages/node/7267105, which contains the security bulletin and patch information. Organizations should verify their exact Concert deployment version against this range to determine exposure.

Remediation

Upgrade IBM Concert to version 2.2.1 or later as provided in the vendor patch available at https://www.ibm.com/support/pages/node/7267105. If immediate patching is not feasible, restrict local system access to Concert processes through operating system-level access controls, file system permissions, and user privilege management to limit exposure to unauthorized local users. Additionally, implement process isolation techniques and monitor for suspicious local process memory access patterns using endpoint detection and response (EDR) tools to detect potential exploitation attempts.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +31
POC: 0

Share

EUVD-2025-209031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy