CVE-2025-54462: 
Linux Debian vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2025-54462) was discovered in the Nex parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). The vulnerability was disclosed on August 25, 2025. The vulnerability affects the libbiosig library, which is an open source software library designed to process various types of medical signal data (EKG, EEG, etc) within different file formats (Talos Blog).

The vulnerability exists due to an inconsistency in how the total number of events is calculated in the Nex file processing code. When processing a specially crafted .nex file, the event code adds the per-channel number of events (n) to the total (N) regardless of the channel type, while the channel code only adds n when the type is 0, 1, or 2. This discrepancy can cause N to exceed the allocated buffer size (hdr->EVENT.N), leading to a heap-based buffer overflow. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows an attacker to provide a malicious .nex file that can lead to arbitrary code execution. Both the location of the out-of-bounds write and the data written are partially controlled by the attacker, potentially enabling arbitrary code execution depending on the heap setup (Talos Blog).

Users should update to a version newer than libbiosig 3.9.0. The vulnerability affects version 3.9.0 and Master Branch (35a819fa) (NVD).