CVE-2025-1632: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in libarchive versions up to 3.7.7, identified as CVE-2025-1632. The flaw affects the list function in the bsdunzip.c file, where a null pointer dereference can occur. The vulnerability was publicly disclosed on February 24, 2025, and can be exploited through local access (NVD, Red Hat).

The vulnerability is classified as a null pointer dereference issue (CWE-476) and improper resource shutdown or release (CWE-404). It has received a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The CVSS v4.0 score is 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (NVD, VulDB).

When exploited, this vulnerability can lead to application crashes or other unexpected behavior through a null pointer dereference. The impact is primarily limited to availability, with no direct effects on confidentiality or integrity (Red Hat).

As of the vulnerability disclosure, no official patches have been released. Major Linux distributions including Red Hat have marked this issue as 'Fix deferred' (Red Hat).

The vendor was reportedly contacted about this disclosure but did not respond to the initial notification (NVD).