The vulnerability allows an out-of-bounds write and read in the --showSCSIDefects option of Seagate’s openSeaChest tool when a very large defect list is returned by a storage device. A sufficiently large defect response, either from a drive with an extremely high defect count or from a maliciously crafted SCSI device, can cause the tool to write defect information beyond allocated memory, potentially corrupting adjacent data or causing the process to crash. The nature of the flaw is a classic buffer overflow (CWE-787). Because the tool writes data directly to memory, an attacker could potentially influence program control flow if additional conditions—such as the presence of exploitable code paths—are met.

All platforms running Seagate openSeaChest version 25.05.3 are affected. The exploit targets the openSeaChest utility, part of Seagate’s software suite for managing SATA/SAS devices, and is triggered when the --showSCSIDefects flag is used with a device that returns an unusually large defect list.

The CVSS score of 1.8 indicates a low severity from a typical security perspective. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likelihood of exploitation is inferred to be low because it requires either a device with an abnormally large defect list or a malicious SCSI device carefully crafted to provoke the out-of-bounds write. Consequently, the risk is moderate, primarily limited to local system instability or potential denial of service if the flaw manifests in a production environment.