CVE-2025-15536 in OpenCC
Summary
by MITRE • 01/18/2026
A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/07/2026
The vulnerability CVE-2025-15536 represents a critical heap-based buffer overflow in the BYVoid OpenCC library version 1.1.9 and earlier, specifically within the opencc::MaxMatchSegmentation function located in src/MaxMatchSegmentation.cpp. This flaw constitutes a software security weakness that allows attackers to manipulate memory allocation patterns through improper input handling during text segmentation operations. The vulnerability falls under the Common Weakness Enumeration category CWE-121, which encompasses heap-based buffer overflow conditions that occur when insufficient bounds checking permits writing beyond allocated memory boundaries. The affected function processes text input for Chinese character segmentation using a maximum matching algorithm, making it susceptible to malicious input that exceeds predetermined buffer limits. The exploitation of this vulnerability requires local execution privileges, meaning an attacker must already have access to the system to leverage the flaw. However, the public availability of exploit code significantly increases the risk profile as it lowers the barrier to successful exploitation. This vulnerability is particularly concerning in environments where OpenCC is used for text processing, as it could enable arbitrary code execution or system compromise when malicious input is processed through the vulnerable function. The patch referenced as 345c9a50ab07018f1b4439776bad78a0d40778ec addresses the root cause by implementing proper bounds checking and memory management within the segmentation algorithm. The patch ensures that input data is validated before processing and that buffer allocations properly account for maximum expected input sizes. Organizations using OpenCC should immediately apply this patch to prevent potential exploitation. The vulnerability also aligns with ATT&CK technique T1059.007, which covers command and scripting interpreter usage, as exploitation could involve executing malicious code through compromised text processing pipelines. Security practitioners should monitor for any unauthorized local access attempts and implement proper input validation measures beyond the patch to mitigate potential indirect exploitation vectors. The impact of this vulnerability extends beyond simple memory corruption, as it could potentially allow attackers to escalate privileges or access sensitive system resources through successful exploitation of the heap overflow condition.