CVE-2025-2174
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2174 is an integer overflow vulnerability affecting libzvbi versions up to and including 0.2.43. The issue resides in the vbi_strndup_iconv_ucs2 function within the src/conv.c file, where manipulation of the src_length argument triggers the overflow. Classified under CWE-189 and CWE-190, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily due to availability impact.
The vulnerability enables remote exploitation without authentication or user interaction. An attacker can send crafted input over the network to any system using the affected libzvbi versions, triggering the integer overflow and resulting in a limited denial of service, such as application crashes. Public disclosure of an exploit exists, increasing the risk of immediate use against vulnerable deployments.
Mitigation involves upgrading to libzvbi version 0.2.44, which incorporates the fixing commit ca1672134b3e2962cd392212c73f44f8f4cb489f. The project maintainer was notified in advance and responded promptly and professionally, as detailed in the GitHub security advisory (GHSA-g7cg-7gw9-v8cf) and release notes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Integer overflow in libzvbi enables remote unauthenticated crafted input to trigger application crashes, directly mapping to Endpoint Denial of Service via Application or System Exploitation.