CVE-2025-2849: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in UPX versions up to 5.0.0, specifically affecting the PackLinuxElf64::unDTINIT function in the src/plxelf.cpp file. The vulnerability was disclosed on March 27, 2025, and has been assigned CVE-2025-2849. The issue allows local attackers to potentially cause a denial of service through buffer overflow manipulation (NVD, VulDB).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) and has received a CVSS v3.1 base score of 3.3 (LOW). The issue occurs in the PackLinuxElf64::unDTINIT function when processing certain input files. The vulnerability can be triggered locally and requires low complexity to exploit. The CVSS v4.0 vector indicates local access requirements with low attack complexity: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N (VulDB, NVD).

The primary impact of this vulnerability is on system availability. When successfully exploited, it can cause the application to abort operation through a heap-based buffer overflow condition. The vulnerability affects the availability of the system while having no direct impact on confidentiality or integrity (VulDB).

A patch has been released to address this vulnerability. The fix is identified by commit hash e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. Users are strongly recommended to apply this patch to mitigate the vulnerability. The patch can be obtained from the official UPX GitHub repository (GitHub Commit).