CVE-2025-11464: 
NixOS vulnerability analysis and mitigation

CVE-2025-11464 is a heap-based buffer overflow vulnerability in Ashlar-Vellum Cobalt software, specifically affecting the CO file parsing functionality. The vulnerability was discovered and reported to the vendor on April 14, 2025, and was publicly disclosed on October 16, 2025 (ZDI Advisory).

The vulnerability exists within the parsing of CO files in Ashlar-Vellum Cobalt. The specific flaw stems from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High) with the following vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically requiring the target to visit a malicious page or open a malicious file (ZDI Advisory).

Given the nature of the vulnerability, the only recommended mitigation strategy is to restrict interaction with the product. As of the disclosure date, no vendor patch was available (ZDI Advisory).

The vendor acknowledged receipt of the vulnerability report on April 23, 2025. After multiple follow-ups by ZDI on July 30 and August 6, 2025, and with no fix provided, ZDI proceeded with a zero-day advisory publication on October 16, 2025 (ZDI Advisory).