Primary

Context

GNU Cflow Buffer Overflow Vulnerability in Lexer Component

Vulnerability

A critical buffer overflow vulnerability has been identified in GNU Cflow versions through 1.8. The issue arises in the lexical analysis function 'yylex' within the file 'c.c'. This vulnerability allows for local exploitation by manipulating array indices, leading to out-of-bounds memory access and a segmentation fault.

Impact

Exploitation of this vulnerability causes a segmentation fault, indicating a crash due to invalid memory access. However, such buffer overflow vulnerabilities can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by compiling the latest version of GNU Cflow and using it to process a crafted C source file that triggers the buffer overflow. This can be done by using the '--tree' option followed by the name of the file containing the malformed C code.

Added: Aug 8, 2025, 7:18 PM

Updated: Aug 8, 2025, 8:35 PM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

2.5

exploitability

4.6

remediation

0.0

relevance

0.3

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GNU Cflow Buffer Overflow Vulnerability in Lexer Component

Vulnerability

Impact

Reproduction

Affected Products

GNU cflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating