VDB
CVE-2025-48174
CVE-2025-48174
PUBLISHED
CVSS 4.5 MEDIUM
In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size.
EPSS 0.36% · 58.5th percentile
Risk Scores
CVSS v3.1
4.5
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L
EPSS Score
0.36%
58.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| aomedia | libavif | 0, 0, 0 |
Timeline
- May 16, 2025 CVE Published
- May 16, 2025 EPSS Score
- May 27, 2025 EPSS Score
- Jun 8, 2025 EPSS Score
- Jun 19, 2025 EPSS Score
- Jun 30, 2025 EPSS Score
- Jul 12, 2025 EPSS Score
- Jul 23, 2025 EPSS Score
- Aug 3, 2025 EPSS Score
- Aug 14, 2025 EPSS Score
- Aug 17, 2025 PoC Published
- Aug 17, 2025 PoC Published
References
- https://github.com/AOMediaCodec/libavif/pull/2768 url
- https://github.com/AOMediaCodec/libavif/commit/e5fdefe7d1776e6c4cf1703c163a8c0535599029 url
- https://github.com/AOMediaCodec/libavif/commit/50a743062938a3828581d725facc9c2b92a1d109 url
- https://github.com/AOMediaCodec/libavif/commit/c9f1bea437f21cb78f9919c332922a3b0ba65e11 url
- https://lists.debian.org/debian-lts-announce/2025/05/msg00031.html url
- https://nvd.nist.gov/vuln/detail/CVE-2025-48174 advisory