CVE-2025-8843
BaseFortify
Publication date: 2025-08-11
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nasm | netwide_assembler | 2.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8843 is a heap-based buffer overflow vulnerability in NASM (Netwide Assembler) version 2.17rc0. It occurs in the function macho_no_dead_strip within the source file outmacho.c due to improper bounds checking when handling Mach-O pragma directives. Specifically, the function allocates a small 4-byte buffer but attempts to read beyond this allocated memory, causing a heap overflow. This overflow can lead to memory corruption and potentially crash the program. Exploitation requires local access and a crafted input that triggers the overflow during assembly processing. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by causing NASM to crash or behave unpredictably when processing maliciously crafted Mach-O pragma directives, potentially leading to denial of service. Because it is a heap buffer overflow, it may also allow an attacker with local access to corrupt memory, which could be leveraged to compromise the confidentiality, integrity, or availability of the system running NASM. However, exploitation requires local access and no remote exploitation is possible. There are currently no known mitigations or patches, so replacing NASM or avoiding the vulnerable version is recommended. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by compiling NASM with AddressSanitizer enabled and running a proof-of-concept (PoC) assembly file that triggers the heap buffer overflow. Specifically, you can use the command: nasm -f macho POC_nasm_heap_buffer_overflow_macho_no_dead_strip_1 or for the second variant: nasm -f macho32 POC_nasm_heap_buffer_overflow_macho_no_dead_strip_2 If NASM crashes with a heap-buffer-overflow error, the vulnerability is present. This requires local access and the PoC files containing crafted Mach-O pragma directives to trigger the overflow. [2, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing NASM version 2.17rc0 or affected versions with an alternative assembler tool, as no patches or countermeasures are currently available. Avoid using the vulnerable NASM versions locally, especially when processing Mach-O output format files. Monitoring for updates or patches from NASM developers is recommended, but until then, do not run untrusted assembly code that could trigger the vulnerability. [1]