CVE-2025-11464: 
NixOS vulnerability analysis and mitigation

CVE-2025-11464 is a heap-based buffer overflow vulnerability in Ashlar-Vellum Cobalt affecting version 12.2.1204.97. The vulnerability was discovered by Rocco Calvi and was disclosed on October 16, 2025. The vulnerability affects the CO file parsing functionality in Ashlar-Vellum Cobalt software (Zero Day Initiative, NVD).

The vulnerability exists within the parsing of CO files and results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-122 (Heap-based Buffer Overflow) (Zero Day Initiative, NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected installations of Ashlar-Vellum Cobalt. The high CVSS score indicates potential severe impacts on confidentiality, integrity, and availability of the affected system (Zero Day Initiative).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. The vendor was notified of the vulnerability on April 14, 2025, but no patch was available at the time of disclosure (Zero Day Initiative).