•
MEDIUM Severity
CVE-2025-48175
Integer overflow vulnerability in libavif before 1.3.0
Overview
In libavif prior to 1.3.0, an integer overflow vulnerability exists in avifImageRGBToYUV multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes.
Technical Details
The vulnerability is rooted in reformat.c component of libavif. Integer calculations (multiplications) of rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes could lead to overflows.
CVSS Metrics
- Attack Vector: LOCAL
- Attack Complexity: HIGH
- Privileges Required: NONE
- User Interaction: NONE
- Scope: CHANGED
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: LOW
- CVSS Base Score: 4.5
- CVSS Base severity: MEDIUM
Impact
An attacker can exploit this vulnerability to cause an integer overflow, potentially leading to denial of service or information disclosure.
Recommendations
Users of libavif version prior to 1.3.0 should update to the latest version to mitigate the vulnerability.
Threat Metrics
- cvss_score: 4.5
- severity: MEDIUM
- attack_vector: LOCAL
- attack_complexity: HIGH