Bug 2374480 (CVE-2025-6536)

Summary: CVE-2025-6536 tarantool: Tarantool reachable assertion
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A reachable assertion flaw has been discovered in Tarantool. This flaw allows a local attacker to feed manipulated input to the tm_to_datetime function in src/lib/core/datetime.c in such a way to induce a crash in the application.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2374620, 2374621, 2374622    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-24 02:01:36 UTC 
A vulnerability has been found in Tarantool up to 3.3.1 and classified as problematic. Affected by this vulnerability is the function tm_to_datetime in the library src/lib/core/datetime.c. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.