CVE-2025-40843 – CodeChecker versions up to 6.26.1 contain a buf... (How to Fix)

Q: What is the severity of CVE-2025-40843?

CVE-2025-40843 has a CVSS score of 5.9 (MEDIUM). CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library when executing the 'log' command. This could allow attackers to execute arbitrary code or cause denial of service. Users running vulnerable CodeChecker versions are affected.

📋 TL;DR

CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldlogger library when executing the 'log' command. This could allow attackers to execute arbitrary code or cause denial of service. Users running vulnerable CodeChecker versions are affected.

💻 Affected Systems

Products:

CodeChecker

Versions: through 6.26.1

Operating Systems: All platforms running CodeChecker

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when using the 'CodeChecker log' command with the internal ldlogger library.

📦 What is this software?

Codechecker by Ericsson

View all CVEs affecting Codechecker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or lateral movement within the environment.

🟠

Likely Case

Denial of service causing CodeChecker to crash, potentially disrupting static analysis workflows and CI/CD pipelines.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege access controls in place.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to execute CodeChecker commands and knowledge of buffer overflow techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.26.2 or later

Vendor Advisory: https://github.com/Ericsson/codechecker/security/advisories/GHSA-5xf2-f6ch-6p8r

Restart Required: No

Instructions:

1. Update CodeChecker to version 6.26.2 or later using your package manager or from source. 2. Verify the update was successful by checking the version. 3. No restart required as this is a command-line tool.

🔧 Temporary Workarounds

Avoid CodeChecker log command

all

Temporarily avoid using the vulnerable 'CodeChecker log' command until patched.

# Use alternative logging methods or disable CodeChecker log functionality

🧯 If You Can't Patch

Restrict access to CodeChecker to trusted users only
Implement network segmentation to isolate CodeChecker instances from critical systems

🔍 How to Verify

Check if Vulnerable:

Run 'CodeChecker version' and check if version is 6.26.1 or earlier

Check Version:

CodeChecker version

Verify Fix Applied:

Run 'CodeChecker version' and confirm version is 6.26.2 or later

📡 Detection & Monitoring

Log Indicators:

Unexpected crashes of CodeChecker process
Abnormal memory usage patterns in CodeChecker logs

Network Indicators:

Unusual network connections from CodeChecker processes

SIEM Query:

process_name:"CodeChecker" AND (event_type:crash OR memory_usage:high)

📊 Metadata

CVE ID: CVE-2025-40843

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-121

EPSS Score: 0.02% exploit probability (4.2th percentile)

Published: October 28, 2025

Last Updated: November 14, 2025

🔗 References

https://github.com/Ericsson/codechecker/security/advisories/GHSA-5xf2-f6ch-6p8r Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-40843, you might also want to check these: