CVE-2025-67873
Unknown Unknown - Not Provided
Heap Buffer Overflow in Capstone Disassembly Framework Skipdata Handling

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capstone disassembly_framework 6.0.0-alpha5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Capstone disassembly framework versions 6.0.0-Alpha5 and earlier. It occurs because the length of skipdata is not properly bounds-checked. As a result, a user-provided skipdata callback can cause the functions cs_disasm or cs_disasm_iter to copy more than 24 bytes into the cs_insn.bytes buffer, leading to a heap buffer overflow during the disassembly process.

Impact Analysis

The heap buffer overflow caused by this vulnerability can lead to memory corruption, which may result in application crashes, unexpected behavior, or potentially allow an attacker to execute arbitrary code or escalate privileges within the context of the application using the Capstone framework.

Mitigation Strategies

Update Capstone to a version later than 6.0.0-Alpha5 that includes the fix from commit cbef767ab33b82166d263895f24084b75b316df3 to prevent the heap buffer overflow caused by improper bounds checking in the skipdata callback.

Detection Guidance

This vulnerability can be detected by testing the Capstone disassembly framework with skipdata enabled and a user-defined skipdata callback that returns a length exceeding the 24-byte buffer size, which triggers the heap buffer overflow. Specifically, running test cases similar to those added in the fix, such as forcing the skipdata path with an invalid opcode (e.g., 0x06 for WASM architecture) and a large buffer (e.g., 1024 bytes), can reveal the overflow. Using tools like AddressSanitizer (ASan) during these tests can detect heap buffer overflows. While no specific network commands are provided, you can run the provided test functions `test_overflow_cs_insn_bytes()` and `test_overflow_cs_insn_bytes_iter()` from the Capstone test suite or create a custom test harness that invokes `cs_disasm` or `cs_disasm_iter` with a skipdata callback returning large skipdata lengths. Example commands would involve compiling Capstone with ASan enabled and running these tests or custom scripts that disassemble crafted input triggering the skipdata path. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart