CVE-2025-48175: 
NixOS vulnerability analysis and mitigation

CVE-2025-48175 affects libavif versions before 1.3.0, specifically in the avifImageRGBToYUV function within reformat.c. The vulnerability was discovered in May 2025 and involves integer overflow vulnerabilities in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes variables. The issue has been assigned a CVSS 3.1 Base Score of 4.5 (MEDIUM) with a vector of CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L (NVD, Wiz).

The vulnerability stems from integer overflow issues in the avifImageRGBToYUV function where multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes variables were performed using uint32t, which could overflow when processing very large image width and height values. The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The issue was fixed by changing the type of affected variables from uint32t to size_t, ensuring that multiplications are performed using potentially 64-bit integers instead of 32-bit integers (Github Commit).

The vulnerability could lead to heap out-of-bounds writes when processing specially crafted AVIF images, potentially resulting in limited integrity and availability impacts on the affected systems (Wiz).

The vulnerability has been fixed in libavif version 1.3.0. Users are advised to upgrade to version 1.3.0 or later. For older versions (pre-1.0.0), an alternative mitigation approach involves implementing maximum image area checks to prevent integer overflow conditions (Github PR).