CVE-2025-2174 – An integer overflow vulnerability in libzvbi's ... (How to Fix)

📋 TL;DR

An integer overflow vulnerability in libzvbi's vbi_strndup_iconv_ucs2 function allows remote attackers to potentially cause denial of service or execute arbitrary code. This affects systems using libzvbi up to version 0.2.43 for processing teletext data. The vulnerability is remotely exploitable and has a public exploit available.

💻 Affected Systems

Products:

libzvbi

Versions: Up to and including 0.2.43

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using libzvbi for teletext/closed caption processing

📦 What is this software?

Zvbi by Zapping Vbi

View all CVEs affecting Zvbi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Denial of service through application crash or memory corruption

🟢

If Mitigated

Limited impact if proper memory protections (ASLR, DEP) are enabled

🌐 Internet-Facing: MEDIUM - Remote exploit available but requires specific libzvbi usage

🏢 Internal Only: LOW - Most internal systems don't use libzvbi for teletext processing

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploit disclosed publicly, requires specific input to trigger integer overflow

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.44

Vendor Advisory: https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf

Restart Required: Yes

Instructions:

1. Download libzvbi 0.2.44 from official repository
2. Compile and install following standard ./configure, make, make install
3. Restart any services using libzvbi
4. Recompile any applications linked against libzvbi

🔧 Temporary Workarounds

Disable vulnerable functionality

all

Disable teletext/closed caption processing in applications using libzvbi

Application-specific configuration changes required

🧯 If You Can't Patch

Implement strict input validation for libzvbi data sources
Deploy memory protection mechanisms (ASLR, DEP, stack canaries)

🔍 How to Verify

Check if Vulnerable:

Check libzvbi version: pkg-config --modversion zvbi-0.2

Check Version:

pkg-config --modversion zvbi-0.2

Verify Fix Applied:

Verify version is 0.2.44 or higher: pkg-config --modversion zvbi-0.2

📡 Detection & Monitoring

Log Indicators:

Application crashes with libzvbi in stack trace
Memory corruption errors in system logs

Network Indicators:

Unexpected teletext data streams to vulnerable services

SIEM Query:

search 'libzvbi' OR 'zvbi' in application crash logs

📊 Metadata

CVE ID: CVE-2025-2174

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-189

EPSS Score: 0.8% exploit probability (73.5th percentile)

Published: March 11, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/zapping-vbi/zvbi/commit/ca1672134b3e2962cd392212c73f44f8f4cb489f Patch
https://github.com/zapping-vbi/zvbi/releases/tag/v0.2.44 Release Notes
https://github.com/zapping-vbi/zvbi/security/advisories/GHSA-g7cg-7gw9-v8cf Patch,Vendor Advisory
https://vuldb.com/?ctiid.299203 Permissions Required,VDB Entry
https://vuldb.com/?id.299203 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.512800 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2174, you might also want to check these: