CVE-2025-2176
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2176 is a critical integer overflow vulnerability in libzvbi versions up to 0.2.43, specifically affecting the vbi_capture_sim_load_caption function in the src/io-sim.c file. The issue, tied to CWE-189 and CWE-190, allows manipulation that triggers the overflow, and it has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as partial data exposure, modification, or denial of service. The exploit has been publicly disclosed and may be usable.
Mitigation involves upgrading to libzvbi version 0.2.44, which addresses the issue via the patch commit ca1672134b3e2962cd392212c73f44f8f4cb489f. The project maintainer was notified in advance and responded quickly and professionally, with details available in the GitHub security advisory GHSA-g7cg-7gw9-v8cf and related release notes.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote integer overflow in libzvbi's vbi_capture_sim_load_caption leads to heap overflow, enabling exploitation for client execution (T1203) or endpoint DoS via application exploitation (T1499.004).