[Pkg-electronics-devel] Bug#1126285: arduino-core-avr: CVE-2025-69209

Salvatore Bonaccorso carnil at debian.org
Fri Jan 23 16:50:01 GMT 2026 

Source: arduino-core-avr
Version: 1.8.6+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/arduino/ArduinoCore-avr/pull/613
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for arduino-core-avr.

CVE-2025-69209[0]:
| ArduinoCore-avr contains the source code and configuration files of
| the Arduino AVR Boards platform. A vulnerability in versions prior
| to 1.8.7 allows an attacker to trigger a stack-based buffer overflow
| when converting floating-point values to strings with high
| precision. By passing very large `decimalPlaces` values to the
| affected String constructors or concat methods, the `dtostrf`
| function writes beyond fixed-size stack buffers, causing memory
| corruption and denial of service. Under specific conditions, this
| could enable arbitrary code execution on AVR-based Arduino boards.
| ### Patches  - The Fix is included starting from the `1.8.7` release
| available from the following link [ArduinoCore-avr
| v1.8.7](https://github.com/arduino/ArduinoCore-avr)  - The Fixing
| Commit is available at the following link [1a6a417f89c8901dad646efce
| 74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-
| avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59)  ###
| References  - [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer
| Overflow Vulnerability](https://support.arduino.cc/hc/en-
| us/articles/XXXXX)  ### Credits  - Maxime Rossi Bellom and Ramtine
| Tofighi Shirazi from SecMate (https://secmate.dev/)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-69209
    https://www.cve.org/CVERecord?id=CVE-2025-69209
[1] https://github.com/arduino/ArduinoCore-avr/pull/613
[2] https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm
[3] https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7
[4] https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the Pkg-electronics-devel mailing list