CVE-2025-6271: 
NixOS vulnerability analysis and mitigation

A vulnerability was identified in swftools versions up to 0.9.2, specifically affecting the wav_convert2mono function in the library lib/wav.c of the wav2swf component. The vulnerability was disclosed on June 19, 2025, and is classified as an out-of-bounds read issue that requires local access to exploit. The vulnerability has been assigned CVE-2025-6271 (NVD, CVE).

The vulnerability is characterized as an out-of-bounds read issue in the wav_convert2mono function. It has received a CVSS v4.0 score of 4.8 (Medium) with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, and a CVSS v3.1 score of 3.3 (Low) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The vulnerability is associated with CWE-125 (Out-of-bounds Read) and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (NVD).

The vulnerability affects the availability of the system through an out-of-bounds read condition. While the confidentiality and integrity impacts are rated as none, the availability impact is considered low. The attack requires local access to exploit, limiting its potential impact scope (VulDB).

No official patch has been released yet for this vulnerability. The issue affects swftools versions up to 0.9.2, and users are advised to monitor for updates from the vendor (NVD).