CVE-2025-11465: 
NixOS vulnerability analysis and mitigation

CVE-2025-11465 is a Use-After-Free Remote Code Execution vulnerability affecting Ashlar-Vellum Cobalt software. The vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity and was reported to the vendor on April 14, 2025. The vulnerability received a CVSS score of 7.8 (High) and affects installations of Ashlar-Vellum Cobalt software (ZDI Advisory).

The vulnerability exists within the parsing of CO files in Ashlar-Vellum Cobalt. The specific flaw results from the lack of validating the existence of an object prior to performing operations on the object. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to complete system compromise with high impacts on confidentiality, integrity, and availability of the affected system (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. The vendor was notified of the vulnerability on April 14, 2025, and acknowledged receipt on April 23, 2025. After multiple follow-ups, ZDI published this as a zero-day advisory on October 16, 2025 (ZDI Advisory).