CVE-2025-7979: 
NixOS vulnerability analysis and mitigation

CVE-2025-7979 is a stack-based buffer overflow vulnerability discovered in Ashlar-Vellum Graphite software. The vulnerability was reported to the vendor on November 13, 2024, and was publicly disclosed on July 22, 2025, as a zero-day vulnerability after the vendor failed to provide a timely patch. The vulnerability affects the parsing of VC6 files in Ashlar-Vellum Graphite and has been assigned a CVSS score of 7.8 (ZDI Advisory).

The vulnerability exists within the parsing of VC6 files in Ashlar-Vellum Graphite. The specific flaw stems from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. The vulnerability has been assigned a CVSS v3 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with potential for complete compromise of system confidentiality, integrity, and availability (ZDI Advisory).

An attacker who successfully exploits this vulnerability can execute arbitrary code in the context of the current process. The attack requires user interaction, as the target must visit a malicious page or open a malicious file to trigger the exploitation (ZDI Advisory).

Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. As of the disclosure date, no official patch was available from the vendor (ZDI Advisory).