CVE-2025-11465: 
NixOS vulnerability analysis and mitigation

CVE-2025-11465 is a remote code execution vulnerability affecting Ashlar-Vellum Cobalt software. The vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity and was disclosed on October 16, 2025. This vulnerability received a CVSS score of 7.8 (High), indicating significant potential impact (ZDI Advisory).

The vulnerability exists within the parsing of CO files in Ashlar-Vellum Cobalt. The specific flaw stems from the lack of validating the existence of an object prior to performing operations on the object, resulting in a use-after-free condition. The vulnerability has been assigned a CVSS vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score of 7.8 indicates severe potential impacts on confidentiality, integrity, and availability of the affected system (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy recommended is to restrict interaction with the product. The vendor was notified on April 14, 2025, acknowledged the receipt on April 23, 2025, but no patch was available at the time of disclosure (ZDI Advisory).