CVE-2025-2173
Published: 11 March 2025
Summary
CVE-2025-2173 is a medium-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Zapping-Vbi Zvbi. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely flaw remediation by upgrading libzvbi to version 0.2.44, eliminating the uninitialized pointer vulnerability.
Vulnerability scanning identifies systems with vulnerable libzvbi versions up to 0.2.43 for prioritization in patching.
Validates inputs like src_length to block malformed arguments that trigger the uninitialized pointer dereference in vbi_strndup_iconv_ucs2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation with no user interaction required, directly enabling exploitation of a public-facing application (or remote service) using the vulnerable library for limited information disclosure.
NVD Description
A vulnerability was found in libzvbi up to 0.2.43. It has been classified as problematic. Affected is the function vbi_strndup_iconv_ucs2 of the file src/conv.c. The manipulation of the argument src_length leads to uninitialized pointer. It is possible to launch the…
more
attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.2.44 is able to address this issue. The patch is identified as 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. It is recommended to upgrade the affected component. The code maintainer was informed beforehand about the issues. She reacted very fast and highly professional.
Deeper analysisAI
CVE-2025-2173 is a vulnerability in the libzvbi library versions up to 0.2.43, classified as problematic due to an uninitialized pointer issue. The flaw affects the vbi_strndup_iconv_ucs2 function in the src/conv.c file, where manipulation of the src_length argument triggers the use of an uninitialized pointer, corresponding to CWEs-824 (Access of Uninitialized Pointer) and CWE-908 (Use of Uninitialized Resource). The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact.
The vulnerability can be exploited remotely by unauthenticated attackers with no privileges required, as it has low attack complexity and no user interaction needed. By crafting input that manipulates the src_length parameter, an attacker can trigger the uninitialized pointer dereference, potentially leading to limited information disclosure. An exploit has been publicly disclosed and may be usable against affected libzvbi instances.
Mitigation is available through upgrading to libzvbi version 0.2.44, which addresses the issue via the patch commit 8def647eea27f7fd7ad33ff79c2d6d3e39948dce. The library maintainer was notified in advance and responded promptly and professionally, with details documented in the GitHub security advisory (GHSA-g7cg-7gw9-v8cf), release notes, and commit history.
Details
- CWE(s)