CVE-2025-2174: libzvbi conv.c vbi_strndup_iconv_ucs2 integer overflow
First published: Tue Mar 11 2025(Updated: )
A vulnerability was found in libzvbi up to 0.2.43. It has been declared as problematic. Affected by this vulnerability is the function vbi_strndup_iconv_ucs2 of the file src/conv.c. The manipulation of the argument src_length leads to integer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.2.44 is able to address this issue. The patch is named ca1672134b3e2962cd392212c73f44f8f4cb489f. It is recommended to upgrade the affected component. The code maintainer was informed beforehand about the issues. She reacted very fast and highly professional.
Credit: cna@vuldb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libzvbi | <=0.2.43 | |
| debian/zvbi | <=0.2.35-18<=0.2.41-1 | 0.2.44-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/zapping-vbi/zvbi/commit/ca1672134b3e2962cd392212c73f44f8f4cb489f
- https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44
- https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf
- https://vuldb.com/?ctiid.299203
- https://vuldb.com/?id.299203
- https://vuldb.com/?submit.512800
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2174
- https://nvd.nist.gov/vuln/detail/CVE-2025-2174
- https://launchpad.net/bugs/cve/CVE-2025-2174
- https://security-tracker.debian.org/tracker/CVE-2025-2174
- https://ubuntu.com/security/CVE-2025-2174
Frequently Asked Questions
What is the severity of CVE-2025-2174?
CVE-2025-2174 is classified as a problematic vulnerability due to its potential for causing integer overflow.
How do I fix CVE-2025-2174?
To fix CVE-2025-2174, you should update libzvbi to a version later than 0.2.43.
Which versions of libzvbi are affected by CVE-2025-2174?
Versions of libzvbi up to and including 0.2.43 are affected by CVE-2025-2174.
What components of libzvbi does CVE-2025-2174 impact?
CVE-2025-2174 specifically impacts the function vbi_strndup_iconv_ucs2 in the file src/conv.c.
Can CVE-2025-2174 be exploited remotely?
Yes, an attack leveraging CVE-2025-2174 can be launched remotely due to its nature.
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- agent/references
- agent/source
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/libzvbi
- canonical/libzvbi
- package-manager/debian