CVE-2014-8625
CVE-2014-8625 is a medium-severity vulnerability in Debian Dpkg with a CVSS 2.0 base score of 6.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-134.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.8)
- EPSS exploit prediction: 3% (87th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-134
- Affected product: Debian Dpkg
- Published:
- Last modified:
Description
Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
Frequently asked questions
- What is CVE-2014-8625?
- Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.
- How severe is CVE-2014-8625?
- CVE-2014-8625 has a CVSS 2.0 base score of 6.8, rated medium severity.
- Is CVE-2014-8625 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (87th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2014-8625?
- CVE-2014-8625 affects Debian Dpkg. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2014-8625?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2014-8625 published?
- CVE-2014-8625 was published on 2015-01-20 and last updated on 2026-06-17.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157387.html
- http://seclists.org/oss-sec/2014/q4/539
- http://seclists.org/oss-sec/2014/q4/551
- http://seclists.org/oss-sec/2014/q4/622
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768485
- https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1389135
- https://exchange.xforce.ibmcloud.com/vulnerabilities/98551
Affected products (1)
- cpe:2.3:a:debian:dpkg:*:*:*:*:*:*:*:*
More vulnerabilities in Debian Dpkg
- CVE-2022-1664 — Critical (CVSS 9.8): Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is…
- CVE-2017-8283 — Critical (CVSS 9.8): dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU patch program and does not offer a protection…
- CVE-2025-6297 — High (CVSS 8.2): It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into…
- CVE-2026-2219 — High (CVSS 7.5): It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate…
- CVE-2015-0860 — High (CVSS 7.5): Off-by-one error in the extracthalf function in dpkg-deb/extract.c in the dpkg-deb component in Debian dpkg 1.16.x…
- CVE-2004-2768 — High (CVSS 7.2): dpkg 1.9.21 does not properly reset the metadata of a file during replacement of the file in a package upgrade, which…
All CVEs affecting Debian Dpkg →
Other CWE-134 vulnerabilities
- CVE-2012-1851 — Critical (CVSS 10.0): Format string vulnerability in the Print Spooler service in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,…
- CVE-2012-0242 — Critical (CVSS 10.0): Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary…
- CVE-2011-2475 — Critical (CVSS 10.0): Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server…
- CVE-2011-1568 — Critical (CVSS 10.0): Format string vulnerability in the logText function in shmemmgr9.dll in IGSSdataServer.exe 9.00.00.11074, and…
- CVE-2010-4235 — Critical (CVSS 10.0): Format string vulnerability in RealNetworks Helix Server 12.x, 13.x, and 14.x before 14.2, and Helix Mobile Server…
- CVE-2011-0270 — Critical (CVSS 10.0): Format string vulnerability in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows…