{"id":"CVE-2025-48964","details":"ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero).","aliases":["GHSA-25fr-jw29-74f9"],"modified":"2026-04-11T01:35:16.480262Z","published":"2025-07-22T18:15:36.020Z","related":["ALSA-2025:17558","SUSE-SU-2025:02430-1","SUSE-SU-2025:02431-1","SUSE-SU-2025:02432-1","SUSE-SU-2025:02797-1","SUSE-SU-2025:20442-1","SUSE-SU-2025:20502-1"],"references":[{"type":"WEB","url":"https://github.com/iputils/iputils/issues"},{"type":"WEB","url":"https://github.com/iputils/iputils/releases/tag/20250602"},{"type":"ADVISORY","url":"https://github.com/iputils/iputils/security/advisories/GHSA-25fr-jw29-74f9"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1243772"},{"type":"FIX","url":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/iputils/iputils","events":[{"introduced":"0"},{"fixed":"23b06385444fba29c898370ae6f297e41c11667b"},{"fixed":"afa36390394a6e0cceba03b52b59b6d41710608c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20250602"}]}}],"versions":["20210202","20210722","20211215","20221126","20231222","20240117","20240905","meson","s20060425","s20060512","s20070202","s20071127","s20100214","s20100418","s20101006","s20121011","s20121106","s20121112","s20121114","s20121121","s20121125","s20121126","s20121205","s20121207","s20121221","s20140419","s20140420","s20140519","s20150815","s20160308","s20161105","s20180629","s20190324","s20190515","s20190709","s20200821","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-48964.json","vanir_signatures":[{"digest":{"length":833,"function_hash":"105800759686091478616109654108315309418"},"id":"CVE-2025-48964-0c05cc6c","signature_type":"Function","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping_common.c","function":"status"}},{"digest":{"length":3933,"function_hash":"182369497541208949835654161418634595855"},"id":"CVE-2025-48964-244608f2","signature_type":"Function","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping_common.c","function":"gather_statistics"}},{"digest":{"length":2381,"function_hash":"320744615718063868566799818644641732743"},"id":"CVE-2025-48964-98735526","signature_type":"Function","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping_common.c","function":"finish"}},{"digest":{"length":295,"function_hash":"248644319895647912990678951575326585785"},"id":"CVE-2025-48964-be293a74","signature_type":"Function","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping_common.c","function":"update_interval"}},{"digest":{"line_hashes":["184244054427350677747505818593335869457","79864056242559352940177094044847432904","281112926037385653755583731290289387881","14378619380022651259894420556666271008"],"threshold":0.9},"id":"CVE-2025-48964-dc58d12c","signature_type":"Line","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping.h"}},{"digest":{"line_hashes":["172667537343146237084421659125579529306","263864512992887303460567478434021495081","128349263759841004618263781749458859886","177713245018295066211307247864765100649","252861672801800511137120927670263489188","71860858544167501117536858718771017896","274751373014095972239683953090511380240","302129665924753023279493093151396176024","114870192407911933918802621422706357136","18976050152437949294195938989840790933","74814264016706226533781185928517186157","6966166561717910608644556984234812578","286607477162037183782043205801468994832","135290569510039796102923371126699871500","312789501723618544070369177200734121125","36935260760085448129949232389171640331"],"threshold":0.9},"id":"CVE-2025-48964-e8e1e234","signature_type":"Line","deprecated":false,"source":"https://github.com/iputils/iputils/commit/afa36390394a6e0cceba03b52b59b6d41710608c","signature_version":"v1","target":{"file":"ping/ping_common.c"}}],"vanir_signatures_modified":"2026-04-11T01:35:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}