CVE-2025-29482: 
NixOS vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in libheif version 1.19.7, identified as CVE-2025-29482. The vulnerability exists in the SAO (Sample Adaptive Offset) processing component of libde265, specifically during thread pool execution. This security flaw allows a local attacker to execute arbitrary code via the SAO processing of libde265 (NVD, Debian Tracker).

The vulnerability is a stack buffer overflow that occurs in the applysaointernal function during thread pool execution, specifically at line 240 of sao.cc. The issue stems from improper bounds checking when accessing the bandTable array during HEIF/HEVC decoding. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.2 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to arbitrary code execution by a local attacker. When successfully exploited, it can cause a stack buffer overflow during the processing of HEIF images, potentially leading to system compromise. The CVSS scoring indicates high impact on system availability (NVD).

Multiple Linux distributions have released security updates to address this vulnerability. Debian has updated packages for various releases including bullseye (1.11.0-1+deb11u2) and bookworm (1.15.1-1+deb12u1). Users are advised to update to the latest available version of libheif (Debian Tracker).