CVE-2025-3409: 
Linux Debian vulnerability analysis and mitigation

A vulnerability classified as critical has been found in Nothings stb up to f056911. The vulnerability affects the function stbincludestring and involves a stack-based buffer overflow that can be triggered through manipulation of the pathtoincludes argument. The vulnerability was discovered and disclosed on April 8, 2025 (NVD).

The vulnerability is a stack-based buffer overflow in the stbincludestring function. It has received a CVSS 3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability has also been assessed under CVSS 4.0 with a score of 5.3 (Medium) and vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (VulDB).

The vulnerability can be exploited remotely and may lead to unauthorized access, data manipulation, or system compromise. The CVSS scoring indicates potential impacts on confidentiality, integrity, and availability, all rated as Low (NVD).

As of the disclosure date, no official fixes have been released. The vendor was contacted early about this disclosure but did not respond. The product does not use versioning, which complicates the identification of fixed releases (NVD).