CVE-2025-3887: 
NixOS vulnerability analysis and mitigation

CVE-2025-3887 is a stack-based buffer overflow vulnerability discovered in GStreamer's H265 codec parsing functionality. The vulnerability was discovered on March 7, 2025, and publicly disclosed on April 30, 2025. This security flaw affects installations of GStreamer, specifically within the gstreamer1-plugins-bad-free package (NVD, ZDI Advisory).

The vulnerability exists within the parsing of H265 slice headers in GStreamer. The specific issue stems from the lack of proper validation of the length of user-supplied data before copying it to a fixed-length stack-based buffer. The vulnerability has been assigned a CVSS v3.0 base score of 8.8 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating its severe nature. The flaw has been classified as CWE-121 (Stack-based Buffer Overflow) (ZDI Advisory).

This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. If successfully exploited, an attacker can leverage this vulnerability to execute code in the context of the current process. The high CVSS score reflects the potential for complete compromise of system confidentiality, integrity, and availability (ZDI Advisory).

Red Hat has released security updates for affected versions of gstreamer1-plugins-bad-free package across multiple platforms including RHEL 8 and RHEL 9. Users are strongly advised to apply these security updates. The fix is available in version 1.22.12-4.el9_6 for RHEL 9 and version 1.16.1-5.el8_10 for RHEL 8 systems (RHSA-2025:8183, RHSA-2025:8201).