CVE-2025-27091: 
NixOS vulnerability analysis and mitigation

OpenH264, a free license codec library supporting H.264 encoding and decoding, contains a high-severity vulnerability (CVE-2025-27091) in its decoding functions. The vulnerability affects OpenH264 version 2.5.0 and earlier releases, impacting both Scalable Video Coding (SVC) and Advanced Video Coding (AVC) modes. This security flaw was discovered by researchers from Meta and has been assigned a CVSSv4 score of 8.6 (High) (GitHub Advisory).

The vulnerability stems from a race condition between a Sequence Parameter Set (SPS) memory allocation and a subsequent non-Instantaneous Decoder Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. This condition can lead to a heap overflow vulnerability. The issue has been assigned a CVSS 3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

A successful exploitation of this vulnerability could allow an attacker to cause an unexpected crash in the victim's user decoding client and potentially execute arbitrary commands on the victim's host by abusing the heap overflow. The vulnerability affects both confidentiality and integrity of the system with high impact ratings (Security Online).

Cisco has addressed this vulnerability in OpenH264 software releases 2.6.0 and later. Users are strongly advised to upgrade to the latest version as there are no known workarounds for this vulnerability (GitHub Release).

The vulnerability has received significant attention from the security community, with researchers from Meta playing a key role in both discovering and fixing the issue. The fix was implemented and released by Benzheng Zhang, with contributions from Meta's security team including Octavian Guzu, Andrew Calvano, Philipp Hancke, and Shyam Sadhwani (GitHub Advisory).