Critical memory corruption flaw in IBM AIX and VIOS package manager

IBM is reporting a critical vulnerability in the AIX and VIOS operating systems that could allow attackers to compromise memory organization and potentially execute malicious code on affected systems. The vulnerability 

The flaw is tracked as CVE-2025-6965 (CVSS score 9.8) and is caused by a flaw in the RPM package manager, which both AIX and VIOS rely upon for package management operations. The vulnerability exists in SQLite versions prior to 3.50.2, which is embedded within RPM. When the number of aggregate terms in a database query exceeds the number of available columns, the flaw leads to a numeric truncation error that can trigger arbitrary memory corruption. 

The original SQLite vulnerability was initially assigned a CVSS score of 7.2 (high severity), IBM has escalated the rating to 9.8 (critical) due to the potential impact on AIX and VIOS environments, where exploitation could result in complete system compromise, 

Affected versions include:

• AIX 7.2 (all service packs)
• AIX 7.3 (all service packs)
• VIOS 3.1 (all updates)
• VIOS 4.1 (all updates)

The following RPM fileset versions are vulnerable and require immediate patching:

• rpm.rte versions from 4.15.1.1000 to 4.15.1.1016
• rpm.rte versions from 4.15.1.2000 to 4.15.1.2014
• rpm.rte versions from 4.18.1.2000 to 4.18.1.2006

IBM has released updated RPM filesets. Administrators can check if their systems are affected by running the command lslpp -L | grep -i rpm.rte to identify currently installed versions. The company urges immediate deployment of the available patches.

IBM recommends creating a full system backup using the mksysb utility before applying any updates, and verifying that the backup is both bootable and readable to ensure system recovery capability if needed.