CISA issues advisory on Duc patch for stack buffer overflow

Duc, an open-source disk management utility for Linux, contains a stack-based buffer overflow that permits out-of-bounds memory reads and can cause the program to crash or disclose adjacent stack data.

The issue is tracked as CVE-2025-13654. Duc provides disk indexing, inspection, and visualization and maintains a database of indexed files. The vulnerability is located in buffer.c in a function named buffer_get; its length check uses unsigned subtraction that can wrap on crafted input and result in memcpy() performing an out-of-bounds read. An attacker who can supply crafted input to the tool may trigger this behavior. The flaw is fixed in version 1.4.6.

If an attacker is able to send input data to a database or other input stream that uses Duc, the attacker could cause a crash or information leak.

Version 1.4.6 of Duc was released on GitHub. Users should update to the latest version ASAP. All versions prior to 1.4.6 are considered to be affected.

The advisory advises that users update to the latest available release promptly.

Darktrace launches SECURE AI to oversee enterprise AI

Darktrace releases 2026 AI cybersecurity report and unveils SECURE AI

RudderStack introduces IaC governance for customer data