Overview
Duc, an open-source disk management tool, contains a stack-based buffer overflow vulnerability allowing for out-of-bounds memory read. An attacker can exploit this vulnerability through malformed input data, and can cause the tool to either crash or cause it to disclose portions of memory that should remain inaccessible. The vulnerability, tracked as CVE-2025-13654, has been patched in version 1.4.6 of Duc. In an enterprise situation, disk indexing tools that use Duc may be susceptible to crashes, data exposure, or other abnormal behavior if they process attacker-controlled input.
Description
Duc is an open-source disk management tool. It can be used to index, inspect and visualize disk usage. Duc is intended for Linux operating systems. The tool maintains a database of files it indexes, and can be used to query said files, or create graphs to detail where the files are.
A stack-based buffer overflow vulnerability has been discovered, tracked as CVE-2025-13654, within Duc. An attacker who can supply crafted input to the tool may trigger an out-of-bounds read, leading to a crash or unintended disclosure of adjacent stack data.
In the Duc software library, the code in buffer.c contains a function called buffer_get. Its length check uses unsigned subtraction, which can wrap on crafted input and result in memcpy() performing an out-of-bounds read.
Impact
An attacker able to send input data to a database or other input stream that uses Duc could cause a crash or information leak.
Solution
Version 1.4.6 of Duc, released on GitHub. Users should update to the latest version ASAP. All versions prior to 1.4.6 are considered to be affected.
Acknowledgements
Thanks to the reporter, HackingByDoing (hackingbydoing@proton.me). This document was written by Christopher Cullen.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-13654 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-12-05 |
| Date First Published: | 2025-12-05 |
| Date Last Updated: | 2025-12-05 12:41 UTC |
| Document Revision: | 1 |