CVE-2025-13654 – A stack buffer overflow vulnerability in duc's ... (How to Fix)

Q: What is the severity of CVE-2025-13654?

CVE-2025-13654 has a CVSS score of 7.5 (HIGH). A stack buffer overflow vulnerability in duc's buffer_get function allows out-of-bounds memory reads due to an underflow condition. This could potentially lead to arbitrary code execution or denial of service. Users of the duc disk management tool are affected.

📋 TL;DR

A stack buffer overflow vulnerability in duc's buffer_get function allows out-of-bounds memory reads due to an underflow condition. This could potentially lead to arbitrary code execution or denial of service. Users of the duc disk management tool are affected.

💻 Affected Systems

Products:

duc (disk usage analyzer)

Versions: Versions before 1.4.6

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing specially crafted input files or data.

📦 What is this software?

Duc by Zevv

View all CVEs affecting Duc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if duc processes untrusted input from network sources.

🟠

Likely Case

Local privilege escalation or denial of service when processing malicious disk analysis data.

🟢

If Mitigated

Limited impact if duc only processes trusted local files with standard user privileges.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access or ability to feed malicious input to duc process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.6

Vendor Advisory: https://github.com/zevv/duc/releases/tag/1.4.6

Restart Required: No

Instructions:

1. Download duc 1.4.6 from GitHub releases. 2. Compile and install following project documentation. 3. Replace existing duc binary with patched version.

🔧 Temporary Workarounds

Restrict duc execution

linux

Limit duc to trusted users and prevent processing of untrusted input files

chmod 750 /usr/local/bin/duc
setfacl -m u:trusteduser:rx /usr/local/bin/duc

🧯 If You Can't Patch

Remove setuid/setgid bits from duc binary if present
Run duc with reduced privileges using sudo restrictions or containers

🔍 How to Verify

Check if Vulnerable:

Check duc version: duc --version | grep -q '1\.4\.[0-5]\|1\.[0-3]\..*' && echo 'VULNERABLE'

Check Version:

duc --version

Verify Fix Applied:

Verify version is 1.4.6 or later: duc --version | grep -q '1\.4\.6\|1\.[5-9]\..*' && echo 'PATCHED'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault crashes of duc process
Abnormal memory access patterns in system logs

Network Indicators:

None - local tool only

SIEM Query:

process.name:"duc" AND (event.action:"segmentation_fault" OR event.outcome:"failure")

📊 Metadata

CVE ID: CVE-2025-13654

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.09% exploit probability (25th percentile)

Published: December 5, 2025

Last Updated: January 29, 2026

🔗 References

https://github.com/zevv/duc/releases/tag/1.4.6 Release Notes
https://hackingbydoing.wixsite.com/hackingbydoing/post/stack-buffer-overflow-in-duc Exploit,Third Party Advisory
https://kb.cert.org/vuls/id/441887 Third Party Advisory
https://github.com/zevv/duc/commit/8638c4365ffd9e1966bdef8af6339dbee8c17e66
https://www.kb.cert.org/vuls/id/441887 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13654, you might also want to check these: