CVE-2025-43964: 
NixOS vulnerability analysis and mitigation

CVE-2025-43964 is a security vulnerability discovered in LibRaw versions before 0.21.4, where tag 0x412 processing in phaseonecorrect within decoders/load_mfbacks.cpp fails to enforce minimum w0 and w1 values. The vulnerability was disclosed on April 20, 2025 (NVD, Red Hat).

The vulnerability has been classified as CWE-1284 (Improper Validation of Specified Quantity in Input). It received a CVSS 3.1 Base Score of 2.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating a local attack vector with high attack complexity, requiring no privileges or user interaction (NVD).

The vulnerability's impact is primarily focused on availability, as indicated by the CVSS score components showing no impact on confidentiality or integrity, but a low impact on availability. The local attack vector and high complexity requirements help minimize the potential impact (Red Hat).

The vulnerability has been fixed in LibRaw version 0.21.4. For affected systems, Red Hat notes that mitigation options are either not available or do not meet their Product Security criteria for ease of use and deployment. Users are advised to upgrade to the fixed version when available (LibRaw Release, Red Hat).