CVE-2025-4001 is a vulnerability identified in the scipopt SCIP software, specifically affecting versions 9.2.0 and 9.2.1. SCIP is a widely used optimization software framework for solving constraint integer programs, often employed in research, industrial optimization, and operations research. The vulnerability resides in the 'main' function of the file examples/LOP/src/genRandomLOPInstance.c, within the File Descriptor Handler component. The issue involves uncontrolled file descriptor consumption triggered by manipulation of the file argument. This means that the program can open an excessive number of file descriptors without proper limitation or closure, potentially exhausting system resources. The vulnerability requires local access with low privileges (local access with low privileges is sufficient), and no user interaction or authentication beyond local access is necessary. The CVSS 4.0 score is 4.8, indicating a medium severity level. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required beyond local access (PR:L), and no user interaction (UI:N). The impact is limited to availability (VA:L), with no confidentiality or integrity impact. Exploitation could lead to denial of service conditions by exhausting file descriptors, causing the application or system to fail to open new files or sockets. The issue is addressed in version 9.2.2 of SCIP, with the patch identified by commit d6da63b941216d75fbc1aefea9abf1de6712a2d0. No known exploits are currently reported in the wild. Given the nature of the vulnerability, exploitation is constrained to local users who have access to run the affected SCIP versions, and it does not propagate remotely or require network access.

For European organizations using SCIP versions 9.2.0 or 9.2.1, this vulnerability poses a risk primarily to system availability. Since SCIP is used in optimization tasks that may be critical for logistics, manufacturing, finance, and research, uncontrolled file descriptor consumption could lead to denial of service (DoS) conditions, disrupting these operations. The impact is localized to the affected host and requires local access, limiting the risk of widespread disruption. However, in environments where SCIP is integrated into automated workflows or shared computational resources, an attacker or malfunctioning process could cause resource exhaustion, affecting availability of optimization services. This could delay decision-making processes or interrupt critical optimization computations. Confidentiality and integrity are not impacted, so data breaches or unauthorized data modification are not concerns here. The medium severity rating reflects the limited scope and local access requirement but acknowledges the potential operational disruption. Organizations relying heavily on SCIP for optimization should consider the risk of service interruption, especially in high-availability or production environments.

1. Upgrade SCIP to version 9.2.2 or later immediately, as this version contains the patch that fixes the uncontrolled file descriptor consumption issue. 2. Implement strict access controls on systems running SCIP to limit local user access only to trusted personnel, reducing the risk of exploitation. 3. Monitor system resource usage, particularly file descriptor counts, on hosts running SCIP to detect abnormal consumption patterns early. 4. Employ operating system-level limits on the number of file descriptors per process (e.g., using ulimit on Linux) to prevent a single process from exhausting system-wide resources. 5. In environments where SCIP is used in automated or batch processing, incorporate watchdog or resource monitoring scripts to restart or alert on resource exhaustion conditions. 6. Review and restrict the use of example or test programs like genRandomLOPInstance.c in production environments, as these may be more prone to vulnerabilities or misuse. 7. Maintain an inventory of SCIP deployments across the organization to ensure all instances are identified and updated promptly. 8. Educate local users with access to SCIP about the risks of running untrusted inputs or scripts that could trigger resource exhaustion.