CVE-2025-64646 - Vulnerability Details - OpenCVE

IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Concert

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://www.ibm.com/support/pages/node/7267105

History

Wed, 25 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
Title		Multiple Vulnerabilities in IBM Concert Software
First Time appeared		Ibm Ibm concert
Weaknesses		CWE-14
CPEs		cpe:2.3:a:ibm:concert:1.0.0:::::::* cpe:2.3:a:ibm:concert:2.2.0:::::::*
Vendors & Products		Ibm Ibm concert
References		https://www.ibm.com/support/pages/node/7267105
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-03-25T20:35:51.740Z

Updated: 2026-03-25T20:35:51.740Z

Reserved: 2025-11-06T18:13:00.559Z

Link: CVE-2025-64646

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T21:16:25.647

Modified: 2026-03-25T21:16:25.647

Link: CVE-2025-64646

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T21:46:04Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64646", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-11-06T18:13:00.559Z", "datePublished": "2026-03-25T20:35:51.740Z", "dateUpdated": "2026-03-25T20:35:51.740Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-03-25T20:35:51.740Z"}, "title": "Multiple Vulnerabilities in IBM Concert Software", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-14", "description": "CWE-14 Compiler Removal of Code to Clear Buffers", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Concert", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "2.2.0", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:concert:2.2.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7267105", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1\n\nDownload IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry ( ICR https://myibm.ibm.com/products-services/containerlibrary ) and follow\u00a0 installation instructions https://www.ibm.com/docs/en/concert \u00a0depending on the type of deployment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM strongly recommends addressing the vulnerability now by upgrading to IBM Concert Software 2.3.1</p><p>Download IBM Concert Software 2.3.1 from Container software library section of IBM Entitled Registry (<a href=\"https://myibm.ibm.com/products-services/containerlibrary\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">ICR</a>) and follow <a href=\"https://www.ibm.com/docs/en/concert?topic=installing-preparing-run-installs-from-private-container-registry\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">installation instructions</a> depending on the type of deployment.</p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}

{"analysis": {"en": {"generated_at": "2026-03-25T21:23:06.943955+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to IBM Concert Software 2.3.1 as recommended by IBM.", "If immediate upgrade is not feasible, restrict access to the application by tightening network security controls and limiting user privileges to mitigate potential exploitation of the buffer handling flaw."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is IBM Concert Software, specifically all releases from version 1.0.0 up to and including 2.2.0. Users running any of these releases should verify the version number and consider upgrading to the newer 2.3.1 release that includes the mitigation.", "description_and_impact": "IBM Concert versions 1.0.0 through 2.2.0 contain a buffer handling flaw that prevents sensitive memory contents from being properly cleared, allowing an attacker to read those contents. The vulnerability is a form of information disclosure because it can reveal data such as authentication tokens, configuration details, or other secrets that are stored temporarily in memory during normal operation. Although the description does not disclose an explicit attack vector, it is reasonable to infer that the flaw becomes exploitable when an attacker can influence the input or execution path that triggers the buffer handling routine, potentially through local or network interfaces that accept user data.", "risk_and_exploitability": "The CVSS score of 6.2 indicates a medium severity impact, with the possibility of exposing sensitive data causing confidentiality loss. While EPSS data is not available, the lack of a listing in the CISA KEV catalog suggests that no publicly known exploits are reported yet, but the vulnerability can still be leveraged in a targeted attack. Because the flaw involves memory content left uncleared, the risk is highest for systems that handle highly sensitive information or reside in shared or multi-tenant environments. Prompt remediation reduces the window for an attacker to exploit the issue and gain valuable data."}}}}, "created": "2026-03-25T21:46:04.914820+00:00", "updated": "2026-03-25T21:46:04.914872+00:00", "vendors": []}