CVE-2025-2173: libzvbi conv.c vbi_strndup_iconv_ucs2 uninitialized pointer
First published: Tue Mar 11 2025(Updated: )
A vulnerability was found in libzvbi up to 0.2.43. It has been classified as problematic. Affected is the function vbi_strndup_iconv_ucs2 of the file src/conv.c. The manipulation of the argument src_length leads to uninitialized pointer. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.2.44 is able to address this issue. The patch is identified as 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. It is recommended to upgrade the affected component. The code maintainer was informed beforehand about the issues. She reacted very fast and highly professional.
Credit: cna@vuldb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libzvbi | <=0.2.43 | |
| debian/zvbi | <=0.2.35-18<=0.2.41-1 | 0.2.44-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/zapping-vbi/zvbi/commit/8def647eea27f7fd7ad33ff79c2d6d3e39948dce
- https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44
- https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf
- https://vuldb.com/?ctiid.299202
- https://vuldb.com/?id.299202
- https://vuldb.com/?submit.512798
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2173
- https://nvd.nist.gov/vuln/detail/CVE-2025-2173
- https://launchpad.net/bugs/cve/CVE-2025-2173
- https://security-tracker.debian.org/tracker/CVE-2025-2173
- https://ubuntu.com/security/CVE-2025-2173
Frequently Asked Questions
What is the severity of CVE-2025-2173?
CVE-2025-2173 is classified as problematic due to its potential to lead to remote code execution from uninitialized pointers.
How do I fix CVE-2025-2173?
To fix CVE-2025-2173, update libzvbi to a version later than 0.2.43.
Which versions of libzvbi are affected by CVE-2025-2173?
Versions of libzvbi up to and including 0.2.43 are affected by CVE-2025-2173.
What specific function is vulnerable in CVE-2025-2173?
The vulnerable function in CVE-2025-2173 is vbi_strndup_iconv_ucs2 located in src/conv.c.
Can CVE-2025-2173 be exploited remotely?
Yes, CVE-2025-2173 can be exploited remotely due to the nature of the vulnerability.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/libzvbi
- canonical/libzvbi
- package-manager/debian