CVE-2025-7345 is a classic buffer overflow vulnerability identified in the gdk-pixbuf library, a widely used image loading and rendering library, and in the glib library's Base64 encoding function. The flaw resides in the gdk_pixbuf__jpeg_image_load_increment function (located in io-jpeg.c) and glib's g_base64_encode_step function (glib/gbase64.c). When a maliciously crafted JPEG image is processed, the heap buffer overflow occurs during the Base64 encoding step, leading to out-of-bounds reads from heap memory. This memory corruption can cause application instability, crashes, or potentially arbitrary code execution if exploited successfully. The vulnerability does not require any privileges or user interaction, and it can be triggered remotely by supplying a crafted JPEG image to an application that uses these libraries for image processing. The CVSS v3.1 score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, and no required privileges or user interaction, but with impact limited to availability (application crashes) and no direct confidentiality or integrity impact reported. The affected product explicitly mentioned is Red Hat Enterprise Linux 10, which bundles these libraries. While no known exploits are currently reported in the wild, the nature of the vulnerability makes it a candidate for future exploitation, especially in environments processing untrusted image data. The lack of patch links suggests that fixes may be forthcoming or pending release.

The primary impact of CVE-2025-7345 is potential denial of service through application crashes when processing malicious JPEG images, which can disrupt services relying on image handling. More critically, the heap buffer overflow could be leveraged by attackers to execute arbitrary code remotely, potentially leading to full system compromise. This is particularly concerning for servers and applications that automatically process user-supplied images, such as web servers, content management systems, and image processing pipelines. The vulnerability's exploitation does not require authentication or user interaction, increasing the attack surface. Organizations running Red Hat Enterprise Linux 10 or other Linux distributions using vulnerable versions of gdk-pixbuf and glib are at risk. The impact extends to any software that depends on these libraries, including desktop environments and cloud services. If exploited, attackers could gain control over affected systems, leading to data breaches, service outages, or lateral movement within networks.

Organizations should monitor Red Hat and upstream glib and gdk-pixbuf projects for official patches and apply them promptly once available. In the interim, restrict or sanitize untrusted JPEG image inputs, especially in public-facing applications. Employ application-level sandboxing or containerization to limit the impact of potential exploitation. Use intrusion detection systems to monitor for anomalous crashes or suspicious image processing activity. Consider disabling or replacing vulnerable image processing components if patching is delayed. Regularly update all system packages to ensure inclusion of security fixes. Additionally, implement network-level protections such as web application firewalls (WAFs) to detect and block malicious payloads targeting image processing endpoints. Conduct thorough code reviews and testing for any custom image handling code to prevent similar vulnerabilities.