What is the CVSS score of CVE-2025-48174?

CVE-2025-48174 has a CVSS 3.1 base score of 4.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L. EPSS exploitation probability: 0.4%.

Which versions of Libavif are affected by CVE-2025-48174?

Organizations using libavif should be aware of moderate risk from CVE-2025-48174, a integer overflow vulnerability rated CVSS 4.5. Exploitation could cause memory corruption or application crashes.. A patch is available.

How to fix or mitigate CVE-2025-48174?

During next maintenance window: Identify affected systems running libavif and apply vendor patches when convenient. Vendor patch is available.

Libavif CVE-2025-48174

MEDIUM

Integer Overflow or Wraparound (CWE-190)

2025-05-16 cve@mitre.org

Integer Overflow Buffer Overflow Libavif Suse

4.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

4.5 MEDIUM

AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

SUSE

MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:42 vuln.today

Patch released

Mar 28, 2026 - 18:42 nvd

Patch available

CVE Published

May 16, 2025 - 05:15 nvd

MEDIUM 4.5

DescriptionCVE.org

In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size.

AnalysisAI

In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. Rated medium severity (CVSS 4.5), this vulnerability is no authentication required.

Technical ContextAI

This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. In libavif before 1.3.0, makeRoom in stream.c has an integer overflow and resultant buffer overflow in stream->offset+size. Affected products include: Aomedia Libavif. Version information: before 1.3.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.

Vendor StatusVendor

SUSE

Severity: Medium

Product	Status
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6	Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS	Fixed

CVE-2025-48174 vulnerability details – vuln.today

Back

SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP4-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP4	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP5	Fixed
SUSE Manager Proxy LTS 4.3	Fixed
SUSE Manager Retail Branch Server LTS 4.3	Fixed
SUSE Manager Server LTS 4.3	Fixed
openSUSE Leap 15.6	Fixed
openSUSE Tumbleweed	Fixed
SUSE Linux Enterprise Desktop 15 SP7	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7	Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7	Fixed
SUSE Linux Enterprise Server 15 SP7	Fixed
SUSE Linux Enterprise Server 16.0	Fixed
SUSE Linux Enterprise Server 16.1	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7	Fixed
SUSE Linux Enterprise Server for SAP applications 16.0	Fixed
SUSE Linux Enterprise Server for SAP applications 16.1	Fixed
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP4	Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP5	Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP6	Fixed
SUSE Linux Enterprise Server 15 SP4	Fixed
SUSE Linux Enterprise Server 15 SP4-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP5	Fixed
SUSE Linux Enterprise Server 15 SP5-LTSS	Fixed
SUSE Linux Enterprise Server 15 SP6	Fixed
SUSE Linux Enterprise Server 15 SP6-LTSS	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP6	Fixed
SUSE Manager Proxy 4.3	Fixed
SUSE Manager Proxy LTS 4.3	Fixed
SUSE Manager Retail Branch Server 4.3	Fixed
SUSE Manager Retail Branch Server LTS 4.3	Fixed
SUSE Manager Server 4.3	Fixed
SUSE Manager Server LTS 4.3	Fixed
SUSE Linux Enterprise Desktop 15 SP4	Fixed
SUSE Linux Enterprise Desktop 15 SP5	Fixed
SUSE Linux Enterprise Desktop 15 SP6	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS	Fixed
SUSE Linux Enterprise High Performance Computing 15 SP6	Fixed
SUSE Linux Enterprise Real Time 15 SP4	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP4	Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP5	Fixed
openSUSE Leap 15.4	Fixed
openSUSE Leap 15.5	Fixed
SUSE Manager Proxy 4.3 LTS	Fixed
SUSE Manager Retail Branch Server 4.3 LTS	Fixed
SUSE Manager Server 4.3 LTS	Fixed

Libavif CVE-2025-48174

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code