Clarification on CVE-2025-5222 Fix in ICU

6 views

Skip to first unread message

Vaishnav Katiyar

unread,

Dec 12, 2025, 7:18:37 AM12/12/25

to icu-s...@unicode.org

Hello,

I am seeking clarification regarding the fix for CVE-2025-5222, which was reported in ICU version 76.0 and involves a buffer overflow in the SRBRoot::addTag function.

According to Red Hat Bugzilla, this vulnerability may lead to memory corruption and arbitrary code execution when running the genrb binary. The Debian Security Tracker references ICU-22957 and commit 2c667e3 as the fix, which is included in ICU version 78.1.

However, upon reviewing the commit, I noticed that the changes do not appear to directly address the affected SRBRoot::addTag function in icu4c/source/tools/genrb/reslist.cpp. Additionally, the commit predates the public disclosure of the CVE.

Could you please confirm whether this commit is indeed the correct fix for CVE-2025-5222?

I also found a related issue here: ICU-23203

Any clarification or additional information you can provide would be greatly appreciated.

Thank you,

Vaishnav

Markus Scherer

unread,

Dec 12, 2025, 1:24:28 PM12/12/25

to Vaishnav Katiyar, icu-s...@unicode.org

On Fri, Dec 12, 2025 at 4:18 AM 'Vaishnav Katiyar' via icu-support <icu-s...@unicode.org> wrote:

I am seeking clarification regarding the fix for CVE-2025-5222, which was reported in ICU version 76.0 and involves a buffer overflow in the SRBRoot::addTag function.

It's a non-issue.

See https://groups.google.com/a/unicode.org/g/icu-support/c/dY1LF9ghw0E/m/pHWhGTg9AwAJ