CVE-2025-6536 is a vulnerability identified in Tarantool versions 3.3.0 and 3.3.1, specifically within the function tm_to_datetime located in the source file src/lib/core/datetime.c. The vulnerability is characterized as a reachable assertion failure, which occurs when certain manipulated inputs cause the program to hit an assertion statement that fails during execution. This type of vulnerability typically leads to application crashes or denial of service conditions. The vulnerability requires local access to the system (attack vector: local) and low privileges (privileges required: low), but does not require user interaction or authentication. The CVSS v4.0 base score is 4.8, indicating a medium severity level. The attack complexity is low, and the vulnerability does not impact confidentiality, integrity, or availability beyond causing a denial of service through assertion failure. No known exploits are currently observed in the wild, but a public proof-of-concept or exploit has been disclosed. The vulnerability does not affect remote exploitation, limiting its attack surface to users or processes with local access to the vulnerable Tarantool instance. Tarantool is an in-memory database and application server used in various data-intensive applications, often deployed in environments requiring fast data processing and real-time analytics. The vulnerability could cause unexpected service interruptions or crashes in affected versions, potentially impacting applications relying on Tarantool for critical data operations.

For European organizations using Tarantool versions 3.3.0 or 3.3.1, this vulnerability primarily poses a risk of denial of service due to application crashes triggered by assertion failures. While it does not directly compromise data confidentiality or integrity, service availability could be affected, especially in environments where Tarantool is a core component of data processing pipelines or real-time applications. Organizations with multi-tenant or shared environments may face increased risk if low-privileged local users can trigger the assertion failure, potentially disrupting services for other users. The local attack requirement limits the threat to insiders or attackers who have already gained some level of access, reducing the risk of remote exploitation. However, in scenarios where Tarantool is deployed on shared infrastructure or developer workstations, the vulnerability could be leveraged to cause operational disruptions. The medium severity rating suggests that while the impact is not critical, it should not be ignored, particularly in sectors where service continuity is essential, such as finance, telecommunications, and critical infrastructure. The absence of known exploits in the wild reduces immediate risk but the public disclosure of the exploit increases the likelihood of future exploitation attempts.

Upgrade Tarantool to a version later than 3.3.1 where this vulnerability is patched. If an official patch is not yet available, consider applying any vendor-provided workarounds or source code fixes targeting the tm_to_datetime function. Restrict local access to systems running vulnerable Tarantool versions by enforcing strict access controls and limiting user privileges to only those necessary for operation. Implement monitoring and alerting for unexpected crashes or assertion failures in Tarantool processes to detect potential exploitation attempts early. Conduct regular audits of user accounts and processes with local access to Tarantool hosts to minimize the risk of insider threats or unauthorized local access. In containerized or virtualized environments, isolate Tarantool instances to reduce the impact of local attacks and prevent lateral movement. Review and harden application logic that interacts with the tm_to_datetime function or passes datetime inputs to Tarantool to ensure input validation and sanitization. Prepare incident response procedures to quickly recover from potential denial of service events caused by this vulnerability.