CVE-2025-48175 — Integer Overflow or Wraparound in Libavif

CWE-190 — Integer Overflow or Wraparound4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 42.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Aomedia Libavif Debian Libavif

Timeline

PublishedMay 16

Description

In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows in multiplications involving rgbRowBytes, yRowBytes, uRowBytes, and vRowBytes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶debiandebian/libavif< libavif 0.11.1-1+deb12u1 (bookworm)

▶NVDaomedia/libavif< 1.3.0

▶Debianaomedia/libavif< 0.8.4-2+deb11u2+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-48175: In libavif before 1↗2025-05-16

▶

GHSA

GHSA-44mp-2g68-7wvv: In libavif before 1↗2025-05-16

▶

📋Vendor Advisories

Debian

CVE-2025-48175: libavif - In libavif before 1.3.0, avifImageRGBToYUV in reformat.c has integer overflows i...↗2025

▶