CVE-2025-54409: 
AIDE vulnerability analysis and mitigation

AIDE (Advanced Intrusion Detection Environment) versions 0.13 to 0.19.1 contain a null pointer dereference vulnerability. The vulnerability was discovered by Rajesh Pangare and was assigned CVE-2025-54409. The issue affects the extended file attributes handling functionality in AIDE, where an attacker can crash the program during report printing or database listing operations (GitHub Advisory, Debian Tracker).

The vulnerability stems from missing error handling while decoding base64 encoded xattr attributes from the database and incorrect handling of empty xattr attribute values and attribute keys containing commas. The issue occurs specifically when the program is compiled with the --with-xattr configure flag, which is the default configuration for most distributions. The vulnerability manifests during the second run of AIDE after an extended file attribute has been written to the database in the first run, particularly when the xattr value is shown in the report due to a change or when the database is listed via --list (OSS Security).

When exploited, this vulnerability can lead to a local denial of service through program crash. The vulnerability has been assigned a CVSS v3.1 base score of 6.2 (Moderate), with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The impact is limited to availability, with no effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in AIDE version 0.19.2. For users unable to upgrade, a workaround involves removing the xattrs group from rules matching files on affected file systems. Various Linux distributions have also released security updates, including Ubuntu and Debian, with fixed package versions available through their respective security channels (GitHub Release, Ubuntu Security).