CVE-2025-1674: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-1674 was discovered in the Zephyr operating system version 4.0 and earlier. The vulnerability was disclosed on February 25, 2025, and involves a lack of input validation in the DNS packet handling functionality (Zephyr Advisory, NVD).

The vulnerability exists in the dnsunpackanswer function within dnspack.c, which is responsible for decoding DNS answers from incoming DNS data. The issue stems from incorrect validation of remsize, which is computed relative to the start of the packet instead of the start of the answer region. This implementation flaw can lead to out-of-bounds reads when processing malicious or malformed packets. The vulnerability has been assigned a CVSS v3.1 base score of 8.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H (Zephyr Advisory).

When exploited, this vulnerability can cause out-of-bounds reads leading to system crashes and potential denial of service conditions. The CVSS scoring indicates high impact on system availability with some impact on confidentiality, while maintaining no impact on integrity (Zephyr Advisory).

A fix has been proposed that updates the computation of remsize in the affected code. The corrected calculation should be: remsize = dnsmsg->msgsize - dnsmsg->answeroffset - dname_len. Patches have been submitted for the main branch (#82072), version 4.0.0 (#82289), and version 3.7.0 (#82288) (Zephyr Advisory).