CVE-2025-5222 is a stack-based buffer overflow vulnerability identified in the International Components for Unicode (ICU) library, a widely used set of C/C++ and Java libraries providing Unicode and globalization support. The flaw exists in the genrb binary, specifically within the SRBRoot::addTag function, where the 'subtag' struct is copied without proper size validation, leading to a classic buffer overflow condition. This unchecked buffer copy can overwrite adjacent memory on the stack, causing memory corruption. Such corruption can be leveraged by an attacker to execute arbitrary code with the privileges of the user running the genrb binary. The vulnerability is present in Red Hat Enterprise Linux 10, and the CVSS 3.1 base score is 7.0, indicating high severity. The attack vector is local (AV:L), requiring the attacker to have local system access. The attack complexity is high (AC:H), meaning exploitation is difficult and requires specific conditions. No privileges are required (PR:N), but user interaction is necessary (UI:R), implying the user must run or trigger the vulnerable binary. The scope is unchanged (S:U), so the impact is limited to the vulnerable component. The vulnerability affects confidentiality, integrity, and availability, as arbitrary code execution can lead to full system compromise. No public exploits are known at this time, and no patches or mitigation links are provided yet. The vulnerability was reserved and published in late May 2025 by Red Hat.

The vulnerability allows local attackers to execute arbitrary code with the privileges of the user running the genrb binary, potentially leading to full system compromise. This can result in unauthorized access to sensitive data (confidentiality breach), modification or destruction of data (integrity impact), and disruption of services (availability impact). Since the attack requires local access and user interaction, the threat is primarily to internal users or attackers who have gained some foothold on the system. However, in environments where genrb is run with elevated privileges or automated scripts invoke it, the risk escalates significantly. Organizations relying on ICU libraries on Red Hat Enterprise Linux 10, especially in critical infrastructure, development, or production environments, face risks of privilege escalation and persistent compromise. The absence of known exploits in the wild reduces immediate risk but does not eliminate the urgency to address the vulnerability.

1. Monitor Red Hat and ICU project advisories closely for official patches and apply them immediately upon release. 2. Until patches are available, restrict access to the genrb binary to trusted users only and consider removing or disabling it if not required. 3. Implement strict local user privilege management to minimize the number of users who can execute genrb. 4. Employ application whitelisting and execution control mechanisms to prevent unauthorized execution of genrb. 5. Use runtime protection tools such as stack canaries, Address Space Layout Randomization (ASLR), and Control Flow Integrity (CFI) to mitigate exploitation impact. 6. Conduct regular audits and monitoring of system logs for unusual activity related to genrb or ICU components. 7. Educate users about the risks of executing untrusted binaries and require confirmation before running sensitive utilities. 8. Consider containerization or sandboxing of ICU-related processes to limit potential damage from exploitation. 9. Prepare incident response plans specifically addressing local privilege escalation and code execution scenarios.