CVE-2025-8854 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-8854?

CVE-2025-8854 has a CVSS score of 9.8 (CRITICAL). A stack-based buffer overflow vulnerability in bulletphysics bullet3's LoadOFF function allows remote attackers to execute arbitrary code by providing a specially crafted OFF file with an overlong initial token. This affects all platforms using bullet3 versions before 3.26, particularly through the VHACD test utility or PyBullet's vhacd function.

📋 TL;DR

A stack-based buffer overflow vulnerability in bulletphysics bullet3's LoadOFF function allows remote attackers to execute arbitrary code by providing a specially crafted OFF file with an overlong initial token. This affects all platforms using bullet3 versions before 3.26, particularly through the VHACD test utility or PyBullet's vhacd function.

💻 Affected Systems

Products:

bulletphysics bullet3
PyBullet (when using vhacd function)
Applications using bullet3's VHACD functionality

Versions: All versions before 3.26

Operating Systems: All platforms (Windows, Linux, macOS, etc.)

Default Config Vulnerable: ⚠️ Yes

Notes: Exploitation requires processing untrusted OFF files through the vulnerable LoadOFF function, typically via VHACD test utility or PyBullet's vhacd.

📦 What is this software?

Pybullet by Bulletphysics

View all CVEs affecting Pybullet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the process running bullet3, potentially leading to full system compromise.

🟠

Likely Case

Application crash (denial of service) or limited code execution depending on exploit sophistication and environment.

🟢

If Mitigated

Denial of service if exploit fails or is blocked, with no code execution due to mitigations like ASLR or DEP.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious OFF file and getting it processed by the vulnerable function. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.26

Vendor Advisory: https://github.com/bulletphysics/bullet3/issues/4732

Restart Required: Yes

Instructions:

1. Update bullet3 to version 3.26 or later. 2. Rebuild any applications using bullet3. 3. Restart services or applications using the updated library.

🔧 Temporary Workarounds

Disable VHACD processing of untrusted OFF files

all

Prevent processing of untrusted OFF files through the VHACD functionality.

Input validation for OFF files

all

Implement strict validation of OFF file tokens before passing to bullet3.

🧯 If You Can't Patch

Restrict access to applications using bullet3's VHACD functionality to trusted users only.
Implement network segmentation to isolate systems using vulnerable bullet3 versions.

🔍 How to Verify

Check if Vulnerable:

Check bullet3 version: if using version < 3.26 and processing OFF files via VHACD, system is vulnerable.

Check Version:

Check bullet3 source or build configuration for version number; for PyBullet, check pip list or import bullet and check version.

Verify Fix Applied:

Verify bullet3 version is 3.26 or later and rebuild applications with the updated library.

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing OFF files
Unexpected process termination in bullet3-related applications

Network Indicators:

Unusual network traffic from systems running bullet3 applications

SIEM Query:

Process termination events for bullet3 or related applications, especially when OFF files are involved.

📊 Metadata

CVE ID: CVE-2025-8854

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.41% exploit probability (60.5th percentile)

Published: August 11, 2025

Last Updated: December 8, 2025

🔗 References

https://github.com/bulletphysics/bullet3/blob/master/Extras/VHACD/test/src/main_vhacd.cpp#L472 Product
https://github.com/bulletphysics/bullet3/issues/4732 Exploit,Issue Tracking,Third Party Advisory
https://github.com/bulletphysics/bullet3/issues/4732 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8854, you might also want to check these: