CVE-2025-2173

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2173
A vulnerability was found in libzvbi up to 0.2.43. It has been classified as problematic. Affected is the function vbi_strndup_iconv_ucs2 of the file src/conv.c. The manipulation of the argument src_length leads to uninitialized pointer. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.2.44 is able to address this issue. The patch is identified as 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. It is recommended to upgrade the affected component. The code maintainer was informed beforehand about the issues. She reacted very fast and highly professional.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
https://github.com/zapping-vbi/zvbi/commit/8def647eea27f7fd7ad33ff79c2d6d3e39948dce Patch
https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44 Release Notes
https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf Patch Vendor Advisory
https://vuldb.com/?ctiid.299202 Permissions Required VDB Entry
https://vuldb.com/?id.299202 Third Party Advisory VDB Entry
https://vuldb.com/?submit.512798 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

cpe:2.3:a:zapping-vbi:zvbi:*:*:*:*:*:*:*:*
History

03 Oct 2025, 00:26

Type Values Removed Values Added
First Time Zapping-vbi
Zapping-vbi zvbi
CPE cpe:2.3:a:zapping-vbi:zvbi:*:*:*:*:*:*:*:*
Summary
  • (es) Se ha encontrado una vulnerabilidad en libzvbi hasta la versión 0.2.43. Se ha clasificado como problemática. La función vbi_strndup_iconv_ucs2 del archivo src/conv.c está afectada. La manipulación del argumento src_length da lugar a un puntero no inicializado. Es posible lanzar el ataque de forma remota. El exploit se ha hecho público y puede utilizarse. La actualización a la versión 0.2.44 puede solucionar este problema. El parche se identifica como 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. Se recomienda actualizar el componente afectado. La responsable del código fue informada de antemano sobre los problemas. Reaccionó muy rápido y con gran profesionalidad.
References () https://github.com/zapping-vbi/zvbi/commit/8def647eea27f7fd7ad33ff79c2d6d3e39948dce - () https://github.com/zapping-vbi/zvbi/commit/8def647eea27f7fd7ad33ff79c2d6d3e39948dce - Patch
References () https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44 - () https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44 - Release Notes
References () https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf - () https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf - Patch, Vendor Advisory
References () https://vuldb.com/?ctiid.299202 - () https://vuldb.com/?ctiid.299202 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.299202 - () https://vuldb.com/?id.299202 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.512798 - () https://vuldb.com/?submit.512798 - Third Party Advisory, VDB Entry

11 Mar 2025, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-11 07:15

Updated : 2025-10-03 00:26

NVD link : CVE-2025-2173

Mitre link : CVE-2025-2173

CVE.ORG link : CVE-2025-2173

JSON object : View

Products Affected

zapping-vbi

  • zvbi
CWE
CWE-824

Access of Uninitialized Pointer

CWE-908

Use of Uninitialized Resource