CVE-2025-2175: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in libzvbi versions up to 0.2.43, affecting the function vbistrndup_iconv. The vulnerability has been classified as problematic and involves an integer overflow that could lead to a heap buffer overflow. The issue was publicly disclosed on March 11, 2025, and can be exploited remotely (NVD, GitHub Advisory).

The vulnerability exists in the vbistrndup_iconv function where an integer overflow can occur during memory allocation. When processing user-controlled input, the function performs arithmetic operations that can lead to an integer overflow, resulting in an under-allocation of memory. This is followed by a memcpy operation that copies more bytes than the allocated buffer size, causing a heap buffer overflow. The vulnerability has received a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (NVD, VulDB Submit).

The exploitation of this vulnerability could lead to various consequences including program crashes, denial of service (DoS), and potential remote code execution. The vulnerability affects the availability of the system while not directly impacting confidentiality or integrity (NVD).

The vulnerability has been fixed in libzvbi version 0.2.44. Users are strongly recommended to upgrade to this version to address the security issue. The code maintainer responded quickly and professionally to the reported vulnerability (GitHub Release).