High-Severity Duc Disk Tool Flaw (CVE-2025-13654) Risks DoS and Information Leak via Integer Underflow

A stack-based buffer overflow vulnerability has been discovered in Duc, a popular open-source tool used for indexing and visualizing disk usage on Linux systems. The flaw, tracked as CVE-2025-13654, was disclosed in a recent vulnerability note released by the CERT Coordination Center (CERT/CC).

This vulnerability poses a significant risk in enterprise environments where disk indexing tools are automated or exposed to untrusted input.

The vulnerability resides in the core of the Duc software library, specifically within the buffer_get function in the buffer.c file.

According to the advisory, the flaw is caused by an integer underflow condition. “Its length check uses unsigned subtraction, which can wrap on crafted input and result in memcpy() performing an out-of-bounds read”. This means an attacker who can supply malformed input data to the tool can trick it into reading memory it shouldn’t access.

While Duc is primarily a local administrative tool, the implications of this bug are serious if the tool processes data from external sources.

“An attacker able to send input data to a database or other input stream that uses Duc could cause a crash or information leak,” the note warns. This could lead to:

Denial of Service (DoS): Crashing the tool and interrupting disk monitoring services.
Information Disclosure: Unintended exposure of “adjacent stack data,” potentially leaking sensitive information from the process memory.

The vulnerability was reported by security researcher Hacking ByDoing.

The maintainers of Duc have released a fix. Administrators and users are urged to upgrade immediately.

Affected Versions: All versions prior to 1.4.6.
Fixed Version: Duc 1.4.6.

The patch is available on the project’s GitHub repository. Users should update their installations to mitigate the risk of exploitation.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply