CVE-2025-2925: 
NixOS vulnerability analysis and mitigation

A double-free vulnerability (CVE-2025-2925) was discovered in HDF5 versions up to 1.14.6. The vulnerability affects the H5MM_realloc function in the src/H5MM.c file, where the manipulation of the argument mem leads to a double free condition. The issue was disclosed on March 28, 2025, and requires local access to exploit (NVD, GitHub Issue).

The vulnerability occurs in the H5MMxfree function defined in src/H5MM.c. The root cause is that the H5MMrealloc function uses realloc to release memory pointed to by pointer mem when handling size as 0, but fails to set the pointer mem to NULL afterward. This leads to a double free condition when calling the H5MM_xfree function. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can lead to application crashes and potential denial of service conditions when processing certain files. The issue primarily affects the availability of the system, with no direct impact on confidentiality or integrity (GitHub Issue).

As of the vulnerability disclosure, there is no official patch available for this issue. Users of HDF5 versions up to 1.14.6 are affected and should monitor for updates from the HDF Group (NVD).