CVE-2025-4478: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-4478) was discovered in the FreeRDP component used by Anaconda's remote install feature. The vulnerability was published on May 16, 2025, and affects multiple Linux distributions including Red Hat, Ubuntu, and Debian. The flaw is classified as a NULL Pointer Dereference (CWE-476) that occurs during the pre-boot phase (NVD, Wiz).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H. The issue was introduced in FreeRDP version 3.0.0-beta1 and manifests when processing malformed RDP packets in the remote access functionality. The vulnerable code was identified in commit cf2daeb01d3325a9de97348047caf4b8974f2b76 and later fixed in commit a4bb702aa62e4fad91ca99142de075265555ec18 (Debian Tracker).

When exploited, this vulnerability results in a denial of service condition where the affected service crashes and remains in a defunct state. The impact is particularly severe as it occurs during the pre-boot phase, and system recovery requires a manual reboot. The vulnerability affects multiple versions of the FreeRDP package across various distributions (Ubuntu, Wiz).

Currently, the primary mitigation is to reboot the system when the service becomes defunct. The vulnerability affects multiple versions of the FreeRDP package across various distributions, including Debian Bullseye, Bookworm, Trixie, and Sid. As of the latest reports, the vulnerability remains unfixed in several versions, though some distributions have released patches (Debian Tracker, Ubuntu).