CVE-2025-48386: GitHub: CVE-2025-48386 Git Credential Helper Vulnerability

Overview

Severity

N/A

Exploit Status

Not Exploited

Patch Tuesday

2025-Jul

Released

2025-07-08

Last Updated

2025-08-22

EPSS Score

0.01% (percentile: 0.6%)

Description

CVE-2025-48386 is regarding a vulnerability in Git where the wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. GitHub created this CVE on their behalf. The documented Visual Studio updates incorporate updates in Git which address this vulnerability. Please see CVE-2025-48386 for more information.

Affected Products (6)

Developer Tools

• Microsoft Visual Studio 2022 version 17.10
• Microsoft Visual Studio 2022 version 17.14
• Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.12

Security Updates (6)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Revision History

• 2025-07-08: Information published.
• 2025-08-22: Corrected the CVE Numbering Authority (CNA). This is an informational change only.