CVEFinder.io

CVE-2025-11464

⚠️ high
🔍 Scan for this CVE
Summary

Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of the length of user-supplied data

Description

Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26628.

CVSS Score
7.8
High
EPSS Score
0.1
Exploit Probability
Published Date
2025-10-29
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.7% of all 321,566 vulnerabilities in our database.

#97,378
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Oct 30, 2025
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-11-04
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-122

📦 Affected Products 1

Vendor Product Status Affected Versions
ashlar cobalt Affected
v12.2.1204.97

🔗 References 1

https://www.zerodayinitiative.com/advisories/ZDI-25-...
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2025-65086 ⚠️ high 7.8 0.0 An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share version... 2026-05-12
CVE-2025-65087 ⚠️ high 7.8 0.0 An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions... 2026-05-12
CVE-2025-65088 ⚠️ high 7.8 0.0 An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions... 2026-05-12
CVE-2025-65084 ⛔ critical 9.8 0.1 An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share version... 2025-11-25
CVE-2025-65085 ⛔ critical 9.8 0.1 A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share v... 2025-11-25
CVE-2025-11463 ⚠️ high 7.8 0.1 Ashlar-Vellum Cobalt XE File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows rem... 2025-10-29
These CVEs affect the same products