A critical denial of service vulnerability exists in the GeoGebra CAS Calculator application. An attacker can exploit this flaw by simply pasting a long string of text into the input field, which causes a buffer overflow and forces the application to crash. This can lead to a loss of productivity and potential loss of unsaved work for users relying on the software.

The application is susceptible to a buffer overflow condition within its input handling function. When a user pastes an unexpectedly large amount of data (e.g., 8000 repeated characters) into the calculator's input field, the application fails to properly validate the input size. This oversized input overwrites adjacent memory buffers, leading to memory corruption and causing the application to terminate unexpectedly, resulting in a denial of service.

This vulnerability is rated as critical severity with a CVSS score of 9.8, primarily due to the ease of exploitation and complete loss of availability for the application. Exploitation will immediately crash the GeoGebra application, interrupting user workflows and causing a loss of any unsaved data. For organizations that rely on this software for educational, engineering, or mathematical purposes, this can lead to significant productivity disruptions and operational delays.

Immediate Action: Immediately update all instances of GeoGebra CAS Calculator to the latest version provided by the vendor. This is the most effective way to permanently resolve the vulnerability.

Proactive Monitoring: System administrators should monitor application and system event logs for crash reports or unexpected terminations of the GeoGebra.exe process. Any correlation between application crashes and user input actions should be investigated as a potential exploitation attempt.

Compensating Controls: If immediate patching is not feasible, implement user awareness training to advise employees against pasting content from untrusted sources into the application. Application control policies can also be used to restrict the execution of known vulnerable versions of the software until they can be updated.

Public Exploit Available: true

Given the critical severity (CVSS 9.8) and the trivial nature of the exploit, it is strongly recommended that organizations prioritize the immediate deployment of the vendor-supplied patches to all affected systems. Although this vulnerability is not listed in the CISA KEV catalog, the low barrier to exploitation presents a significant risk of service disruption. All workstations with GeoGebra CAS Calculator installed should be identified and updated without delay.