How to fix CVE-2025-6663?

Within 7 days: Identify all affected systems and apply vendor patches promptly. If patching is delayed, consider network segmentation to limit exposure.

Is Stack Overflow affected by CVE-2025-6663?

CVE-2025-6663 presents notable security risk, a stack-based buffer overflow vulnerability rated CVSS 7.8. Exploitation could allow attackers to corrupt memory, crash the application, or potentially execute arbitrary code.

CVE-2025-6663

EUVD-2025-20240 HIGH

2025-07-07 [email protected]

7.8

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 03:37 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 03:37 euvd

EUVD-2025-20240

Patch Released

Mar 16, 2026 - 03:37 nvd

Patch available

CVE Published

Jul 07, 2025 - 15:15 nvd

HIGH 7.8

Description

GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H266 sei messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27381.

Analysis

GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability.

Technical Context

A buffer overflow occurs when data written to a buffer exceeds its allocated size, potentially overwriting adjacent memory and corrupting program state. This vulnerability is classified as Stack-based Buffer Overflow (CWE-121).

Affected Products

Affected products: Gstreamer Project Gstreamer

Remediation

A vendor patch is available — apply it immediately. Use memory-safe languages or bounds-checked functions. Enable ASLR, DEP/NX, and stack canaries. Apply vendor patches promptly.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

Vendor Status

Ubuntu

Priority: Medium

gst-plugins-bad1.0

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	released	1.26.3-1
plucky	ignored	end of life, was needs-triage
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

Bug #1108973

gst-plugins-bad1.0

Release	Status	Fixed Version	Urgency
bullseye	not-affected	-	-
bullseye (security)	fixed	1.18.4-3+deb11u5	-
bookworm, bookworm (security)	fixed	1.22.0-4+deb12u6	-
trixie	fixed	1.26.2-3	-
forky, sid	fixed	1.28.1-2	-
experimental	fixed	1.26.3-1	-
bookworm	not-affected	-	-
(unstable)	fixed	1.26.2-3	-

CVE-2025-6663 vulnerability details – vuln.today

Back

CVE-2025-6663

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-6663

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code