LiveActive security incident?Get immediate response
CVE Record

CVE-2012-10057: Lattice Semiconductor ispVM System 18.0.2 XCF File Handling Buffer Overflow

Lattice Semiconductor ispVM System v18.0.2 contains a buffer overflow vulnerability in its handling of .xcf project files. When parsing the version attribute of the ispXCF XML tag, the application fails to properly validate input length, allowing a specially crafted file to overwrite memory on the stack. This can result in arbitrary code execution under the context of the user who opens the file. The vulnerability is triggered locally by opening a malicious .xcf file and does not require elevated privileges.

HighCVSS 8.4Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2012-10057 affects Lattice Semiconductor ispVM System 18.0.2. A malicious .xcf project file can crash or take control of the application when a user opens it. The business risk is workstation compromise in engineering environments that exchange FPGA or device-programming project files.

Executive priority

Prioritize this where ispVM supports production engineering, device programming, or customer project intake. The vulnerability is high impact but needs user interaction and appears limited to a specific legacy version.

Technical view

The flaw is a stack-based buffer overflow in .xcf parsing. The vulnerable path handles the version attribute of the ispXCF XML tag without proper length validation, enabling memory overwrite and possible code execution in the current user context. CVSS v4.0 is 8.4 high.

Likely exposure

Exposure is most likely on engineering or build workstations running Lattice ispVM System 18.0.2 and opening .xcf files from email, vendors, archives, shared drives, or downloaded project packages.

Exploitation context

Public exploit references exist, including Metasploit and Exploit-DB entries. The provided data does not show CISA KEV listing or confirmed active exploitation. Exploitation requires local user interaction: opening a malicious .xcf file.

Researcher notes

Evidence supports a local file-format attack with public exploit material. Do not assume network reachability or active exploitation from the provided sources. Patch status is not established in the bundle, so remediation should be tied to current Lattice guidance.

Mitigation direction

  • Identify and restrict use of Lattice ispVM System 18.0.2.
  • Check Lattice guidance for supported replacement, upgrade, or mitigation details.
  • Do not open untrusted .xcf project files.
  • Limit .xcf handling to isolated engineering workstations where feasible.
  • Apply least-privilege controls for users running ispVM.

Validation and detection

  • Inventory endpoints for Lattice ispVM System 18.0.2.
  • Confirm whether users handle .xcf files from external or untrusted sources.
  • Review endpoint controls for file-type restrictions and application isolation.
  • Check vendor guidance before declaring systems remediated.
  • Confirm no unsupported ispVM installations remain in production workflows.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-121: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2012-10057 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.4 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.4CVSS 4.0HighCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.4High
CVSS 4.0 vector shape for CVE-2012-10057Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Lattice SemiconductorispVM System18.0.2unknown
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-121 · source CWE mapping

Stack-based Buffer Overflow

Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.