Security Advisory 2025-10-22-1 - ubusd: heap buffer overflow (CVE-2025-62526)

ubusd contains a heap buffer overflow in the event registration parsing code. This allows an attacker to modify the head and potentially execute arbitrary code in the context of the ubus daemon.

The affected code is executed before running the ACL checks, all ubus clients are able to send such messages.

In addition to the heap corruption, the crafted subscription also results in a bypass of the listen ACL.

ubus clients could exploit this problem.

Upgrade to OpenWrt 24.10.4 or later.

This is fixed in OpenWrt 24.10.4 and later, including snapshots builds since October 18th 2025. Older OpenWrt versions like 23.05 and 22.03 might be affected too, but they are end of life and do not receive any security support any more.

All versions older than OpenWrt 24.10.4.

Thank you Karsten Sperling from Apple for the report and the PoC.

• ubus fix: https://github.com/openwrt/ubus/commit/d31effb4277bd557f5ccf16d909422718c1e49d0
• fix similar code pattern: https://github.com/openwrt/ubus/commit/aa4a7ee1d3417bc11207ad0a78d579ece7fe0c13
• fix ACL bypass: https://github.com/openwrt/ubus/commit/60e04048a0e2f3e33651c19e62861b41be4c290f
• OpenWrt main branch: https://github.com/openwrt/openwrt/commit/4b907e69ea58fc0ba35fd1755dc4ba22262af3a4
• OpenWrt 24.10: https://github.com/openwrt/openwrt/commit/a7901969932a175cded3c93bdeb65f32ed3705e6
• Advisory on github: https://github.com/openwrt/openwrt/security/advisories/GHSA-cp32-65v4-cp73