CVE-2025-2177
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-2177 is a critical integer overflow vulnerability in libzvbi versions up to 0.2.43. The issue resides in the vbi_search_new function within the src/search.c file, where manipulation of the pat_len argument triggers the overflow. This flaw is associated with CWE-189 and CWE-190.
The vulnerability enables remote exploitation by unauthenticated attackers with low attack complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation can lead to limited impacts on confidentiality, integrity, and availability. An exploit has been publicly disclosed and may be used.
Advisories recommend upgrading to libzvbi version 0.2.44, which resolves the issue through patch commit ca1672134b3e2962cd392212c73f44f8f4cb489f. The code maintainer was notified in advance and responded quickly and professionally. Additional details are provided in the GitHub security advisory (GHSA-g7cg-7gw9-v8cf), release notes for v0.2.44, and the patch commit.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote integer overflow in libzvbi's vbi_search_new leads to heap overflow, enabling client-side exploitation for code execution (T1203) or endpoint denial of service via application crash (T1499.004).