CVE-2025-43963: 
NixOS vulnerability analysis and mitigation

CVE-2025-43963 affects LibRaw versions before 0.21.4, specifically in the phaseonecorrect function within decoders/loadmfbacks.cpp. The vulnerability was discovered and disclosed on April 20, 2025, and involves an out-of-buffer access vulnerability due to unchecked splitcol and split_row values during 0x041f tag processing (NVD, LibRaw Release).

The vulnerability is classified as a CWE-125 (Out-of-bounds Read) issue. It received a CVSS v3.1 Base Score of 2.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The technical root cause stems from insufficient validation of splitcol and splitrow values during the processing of the 0x041f tag in the phaseonecorrect function (NVD, Red Hat).

The vulnerability allows out-of-buffer access, which could potentially lead to information disclosure or application crashes. The low CVSS score indicates limited impact, with no confidentiality or integrity impacts, and only low availability impact (Red Hat).

The vulnerability has been fixed in LibRaw version 0.21.4. Users are advised to upgrade to this version. The fix involves implementing proper validation checks for splitcol and splitrow values in the phaseonecorrect function (LibRaw Release, GitHub Commit).