CVE-2025-6663: 
NixOS vulnerability analysis and mitigation

GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVE-2025-6663) was discovered and disclosed on July 3rd, 2025. This vulnerability affects GStreamer installations and specifically exists within the parsing of H266 sei messages. The vulnerability was initially reported to the vendor on June 23rd, 2025, and was subsequently addressed through a security update (ZDI Advisory, NVD).

The vulnerability stems from insufficient validation of user-supplied data length before copying it to a fixed-length stack-based buffer during the parsing of H266 sei messages. The issue has been assigned a CVSS v3.0 Base Score of 7.8 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability has been classified under CWE-121 (Stack-based Buffer Overflow) (ZDI Advisory).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process on affected GStreamer installations. While interaction with the library is required for exploitation, the attack vectors may vary depending on the implementation (NVD).

GStreamer has released a security update to address this vulnerability. The fix is available through a patch that can be found in the GStreamer repository. Users are advised to update their GStreamer installations to the patched version (ZDI Advisory).