Impact
The vulnerability resides in the llvm::StringMap::insert function within ValueSymbolTable.cpp of the llvm-project up to version 22.1.6. Manipulating the input to this function triggers a stack-based buffer overflow, which can corrupt memory. Based on typical buffer overflow behavior, this may allow local code execution or further local attack steps.
Affected Systems
Vendors: llvm. Products: llvm-project (component ValueSymbolTable). Any installation of llvm-project earlier than or equal to release 22.1.6 is susceptible.
Risk and Exploitability
The CVSS score of 4.8 indicates moderate severity. The EPSS score of 0.00124 indicates a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Local access is required, but a publicly available exploit exists, making it a realistic threat for systems that allow local users to invoke the affected component. Based on the nature of stack-based buffer overflows, the potential impact is limited to local code execution and denial of service through crashes.
OpenCVE Enrichment