CVE-2025-64736 is a medium-severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in The Biosig Project's libbiosig library, specifically in its ABF file parsing functionality. The affected versions include 3.9.2 and the Master Branch (5462afb0). The vulnerability arises when the parser reads beyond the allocated buffer boundaries while processing specially crafted .abf files, which are used to store biosignal data. This out-of-bounds read can lead to an information leak, exposing potentially sensitive memory contents to an attacker. Exploitation requires the attacker to provide a malicious .abf file and for a user or system process to parse it, implying user interaction is necessary. The attack vector is local (AV:L), with low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The impact is primarily on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:L). No public exploits have been reported yet, and no patches are currently linked, indicating the need for vigilance and proactive mitigation. The vulnerability was published on March 3, 2026, and was reserved in December 2025. Given libbiosig's role in biosignal data processing, this vulnerability could affect applications in medical, research, and biometric fields that rely on this library for handling ABF files.

The primary impact of CVE-2025-64736 is an information leak due to out-of-bounds reads during ABF file parsing. Organizations using libbiosig in medical devices, research tools, or biometric systems may inadvertently expose sensitive biosignal data or other memory contents if malicious .abf files are processed. This could lead to privacy violations, leakage of patient or research data, and potential regulatory non-compliance. Although the vulnerability does not allow code execution or system disruption, the confidentiality breach could be leveraged in multi-stage attacks or to gain intelligence about system memory layouts. The requirement for local access and user interaction limits remote exploitation but insider threats or compromised user accounts could still pose risks. The absence of known exploits reduces immediate threat but does not eliminate future risk, especially as the vulnerability becomes publicly known. The impact is thus moderate but significant in sensitive environments handling biosignal data.

To mitigate CVE-2025-64736, organizations should: 1) Monitor The Biosig Project for official patches or updates addressing this vulnerability and apply them promptly once available. 2) Implement strict validation and sanitization of all .abf files before parsing, including file integrity checks and format verification to detect malformed or suspicious files. 3) Restrict the sources from which .abf files can be imported or processed, limiting to trusted and verified origins only. 4) Employ sandboxing or containerization for applications that parse .abf files to contain potential information leaks and limit memory exposure. 5) Enforce least privilege principles for users and processes handling biosignal data to reduce the risk of malicious file introduction and processing. 6) Conduct security awareness training for users to recognize and avoid opening untrusted or unexpected .abf files. 7) Monitor system logs and application behavior for anomalies during file parsing that could indicate exploitation attempts. These targeted measures go beyond generic advice by focusing on the specific attack vector and environment of libbiosig usage.