What is the CVSS score of CVE-2025-48174?

CVE-2025-48174 has a CVSS 3.1 base score of 4.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L. EPSS exploitation probability: 0.4%.

Which versions of Libavif are affected by CVE-2025-48174?

Organizations using libavif should be aware of moderate risk from CVE-2025-48174, a integer overflow vulnerability rated CVSS 4.5. Exploitation could cause memory corruption or application crashes.. A patch is available.

How to fix or mitigate CVE-2025-48174?

During next maintenance window: Identify affected systems running libavif and apply vendor patches when convenient. Vendor patch is available.

Libavif CVE-2025-48174

MEDIUM

Integer Overflow or Wraparound (CWE-190)

2025-05-16 cve@mitre.org

Buffer Overflow Integer Overflow Suse Libavif

4.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

Patch released

Mar 28, 2026 - 18:42 nvd

Patch available

CVE Published

May 16, 2025 - 05:15 nvd

MEDIUM 4.5

DescriptionNVD

In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size.

AnalysisAI

In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. Rated medium severity (CVSS 4.5), this vulnerability is no authentication required.

Technical ContextAI

This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. Affected products include: Aomedia Libavif. Version information: before 1.3.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2025-48174 vulnerability details – vuln.today

Back

Libavif CVE-2025-48174

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code