CVE-2025-2173
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2173 is a vulnerability in the libzvbi library versions up to 0.2.43, classified as problematic due to an uninitialized pointer issue. The flaw affects the vbi_strndup_iconv_ucs2 function in the src/conv.c file, where manipulation of the src_length argument triggers the use of an uninitialized pointer, corresponding to CWEs-824 (Access of Uninitialized Pointer) and CWE-908 (Use of Uninitialized Resource). The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, as it has low attack complexity and no user interaction needed. By crafting input that manipulates the src_length parameter, an attacker can trigger the uninitialized pointer dereference, potentially leading to limited information disclosure. An exploit has been publicly disclosed and may be usable against affected libzvbi instances.
Mitigation is available through upgrading to libzvbi version 0.2.44, which addresses the issue via the patch commit 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. The library maintainer was notified in advance and responded promptly and professionally, with details documented in the GitHub security advisory (GHSA-g7cg-7gw9-v8cf), release notes, and commit history.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes remote unauthenticated exploitation with no user interaction required, directly enabling exploitation of a public-facing application (or remote service) using the vulnerable library for limited information disclosure.