CVE-2025-14935

NSF Unidata NetCDF-C Dimension Name Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of dimension names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27168.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zerodayinitiative.com/advisories/ZDI-25-1154/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:unidata:netcdf:-:*:*:*:*:*:*:*

History

13 Jan 2026, 21:00

Type	Values Removed	Values Added
References	~~() https://www.zerodayinitiative.com/advisories/ZDI-25-1154/ -~~	() https://www.zerodayinitiative.com/advisories/ZDI-25-1154/ - Third Party Advisory
CPE		cpe:2.3:a:unidata:netcdf:-:::::::*
First Time		Unidata netcdf Unidata
CWE		CWE-787

23 Dec 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-23 21:15

Updated : 2026-01-13 21:00

NVD link : CVE-2025-14935

Mitre link : CVE-2025-14935

CVE.ORG link : CVE-2025-14935

JSON object : View

Products Affected

unidata

netcdf

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

7.8 /10