CVE-2025-1744: 
NixOS vulnerability analysis and mitigation

Out-of-bounds Write vulnerability (CVE-2025-1744) was discovered in radareorg radare2 affecting versions before 5.9.9. The vulnerability was disclosed on February 27, 2025, and was assigned by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). The issue affects the radare2 software package, which is a popular reverse engineering framework (NVD, CVE).

The vulnerability is classified as an Out-of-bounds Write (CWE-787) that allows heap-based buffer over-read or buffer overflow conditions. The severity assessment according to CVSS 4.0 has been rated as CRITICAL with a base score of 10.0, with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (NVD).

The vulnerability could potentially lead to heap-based buffer over-read or buffer overflow conditions, which could result in arbitrary code execution, system crashes, or information disclosure. The high CVSS score indicates severe potential impacts across confidentiality, integrity, and availability (NVD).

The vulnerability has been addressed in the development branch and will be included in the upcoming version 6.0.0 release. Users are advised to upgrade to version 6.0.0 when it becomes available. Distribution maintainers may backport the security fix to their packages (GitHub PR).

The vulnerability was initially reported through a pull request on GitHub, which was merged on February 18, 2025. The radare2 maintainer acknowledged the importance of tracking such vulnerabilities, particularly when dealing with third-party code. Various Linux distributions, including Ubuntu and Debian, are currently evaluating the impact and preparing security updates (GitHub PR, Ubuntu).