CVE-2025-5001 is an integer overflow vulnerability identified in the GNU PSPP software, specifically in the calloc function within the pspp-convert.c source file. PSPP is a free software application for statistical analysis of sampled data, often used as an alternative to proprietary tools like SPSS. The vulnerability arises from improper handling of the argument passed via the '-l' option, which leads to an integer overflow condition during memory allocation. This overflow can cause the program to allocate less memory than required, potentially leading to buffer overflows or memory corruption. Exploitation requires local access with at least low-level privileges (local privilege level) and does not require user interaction or elevated privileges. The vulnerability has been publicly disclosed, but no known exploits have been observed in the wild. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The attack vector is local, with low attack complexity, no privileges required beyond local access, and no user interaction needed. The impact is limited to availability, with no direct confidentiality or integrity impact reported. This vulnerability could be leveraged by a local attacker to cause a denial of service or potentially execute arbitrary code if combined with other vulnerabilities or conditions, although no such exploitation has been confirmed. The lack of available patches at the time of disclosure suggests that users should apply mitigations or updates once available.

For European organizations, the impact of CVE-2025-5001 is primarily on systems running GNU PSPP, which is commonly used in academic, research, and statistical analysis environments. The vulnerability could allow a local attacker to cause denial of service or potentially escalate privileges if combined with other exploits, disrupting critical data analysis workflows. This could affect universities, research institutions, government statistical agencies, and private sector companies relying on PSPP for data processing. Although the attack requires local access, insider threats or compromised user accounts could exploit this vulnerability. The medium severity rating suggests moderate risk, but the potential for disruption in data integrity and availability in research and analytics environments could have downstream effects on decision-making and reporting. Given the lack of remote exploitation capability, the threat is more contained but still relevant for organizations with multiple users or shared systems. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for vigilance.

1. Restrict local access to systems running GNU PSPP to trusted users only, employing strict access controls and monitoring for unusual activity. 2. Implement application whitelisting and privilege separation to limit the ability of low-privilege users to execute or manipulate PSPP processes. 3. Monitor system logs and application behavior for signs of memory corruption or crashes related to PSPP usage. 4. Once patches or updates are released by the GNU project, apply them promptly to address the integer overflow vulnerability. 5. Consider running PSPP within sandboxed or containerized environments to limit the impact of potential exploitation. 6. Educate users about the risks of local exploitation and enforce strong endpoint security policies to prevent unauthorized local access. 7. Conduct regular security assessments and penetration testing focusing on local privilege escalation vectors to detect similar vulnerabilities.