CVE-2025-1673: 
NixOS vulnerability analysis and mitigation

CVE-2025-1673 is a vulnerability discovered in the Zephyr operating system version 4.0 and earlier, disclosed on February 25, 2025. The vulnerability exists in the dns_validate_msg function within the DNS message validation component. This security flaw affects the DNS packet processing mechanism of the Zephyr RTOS (Zephyr Advisory).

The vulnerability occurs in the dns_validate_msg function located in subsys/net/lib/dns/resolve.c. When processing DNS packets with a DNS ID of 0, QD count of 1, and missing payload, the crc16_ansi and strlen functions perform out-of-bounds reads at lines 857-858. This happens because query_name pointer is calculated to point to the 13th byte when the packet only has 12 bytes, resulting in an invalid pointer access. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (NVD).

The impact varies depending on the device configuration. In devices with memory protection, the out-of-bounds reads lead to a crash, causing denial of service, which can have severe consequences in safety-critical devices. In embedded devices without memory protection, it can cause invalid computations that affect device behavior (Zephyr Advisory).

The recommended fix is to implement DNS payload validation that verifies the correctness of qdcount and ancount values present in the header. Patches have been submitted for different versions: main (#82072), v4.0.0 (#82289), and v3.7.0 (#82288) (Zephyr Advisory).