A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8744 of biosig.c on the current master branch (35a819fa), when the Tag is 3:

else if (tag==3) {
// character code
char v[17]; // [1]
if (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length %i>16\n",len);
curPos += ifread(&v,1,len,hdr);
v[len] = 0;

In this case, the overflowed buffer is the newly-declared `v` \[1\] instead of `buf`. Since `v` is only 17 bytes large, much smaller values of `len` (even those encoded using a single octet) can trigger an overflow in this code path.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 02 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Libbiosig Project
Libbiosig Project libbiosig
CPEs cpe:2.3:a:libbiosig_project:libbiosig:*:*:*:*:*:*:*:*
Vendors & Products Libbiosig Project
Libbiosig Project libbiosig

Mon, 25 Aug 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared The Biosig Project
The Biosig Project libbiosig
Vendors & Products The Biosig Project
The Biosig Project libbiosig

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 25 Aug 2025 14:00:00 +0000

Type Values Removed Values Added
Description A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8744 of biosig.c on the current master branch (35a819fa), when the Tag is 3: else if (tag==3) { // character code char v[17]; // [1] if (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length %i>16\n",len); curPos += ifread(&v,1,len,hdr); v[len] = 0; In this case, the overflowed buffer is the newly-declared `v` \[1\] instead of `buf`. Since `v` is only 17 bytes large, much smaller values of `len` (even those encoded using a single octet) can trigger an overflow in this code path.
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: talos

Published:

Updated: 2025-08-25T19:10:14.694Z

Reserved: 2025-07-23T14:45:55.835Z

Link: CVE-2025-54481

cve-icon Vulnrichment

Updated: 2025-08-25T19:10:10.355Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-25T14:15:33.700

Modified: 2025-09-02T16:32:54.493

Link: CVE-2025-54481

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-25T21:53:05Z