CVE-2025-68114
Stack Buffer Overflow in Capstone SStream_concat via vsnprintf
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| capstone | capstone | 6.0.0-alpha5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-124 | The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. |
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Capstone versions 6.0.0-Alpha5 and prior involves an unchecked return value from the vsnprintf function in SStream_concat. A malicious use of cs_opt_mem.vsnprintf can cause SStream's index to become negative or exceed its bounds, leading to a stack buffer underflow or overflow when subsequent writes occur.
How can this vulnerability impact me? :
The vulnerability can lead to a stack buffer underflow or overflow, which may allow an attacker with limited privileges to cause memory corruption. This can potentially result in information disclosure, integrity compromise, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
Update Capstone to a version later than 6.0.0-Alpha5 that includes the fix from commit 2c7797182a1618be12017d7d41e0b6581d5d529e to prevent the stack buffer underflow/overflow issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by compiling Capstone with AddressSanitizer (ASan) instrumentation and running a test program that uses a custom vsnprintf function returning -1 to trigger the stack buffer underflow/overflow. The test function 'test_underflow_in_sstream' simulates this condition and can reveal crashes or memory corruption indicative of the vulnerability. Specifically, you can build Capstone with ASan enabled (e.g., using clang with -fsanitize=address) and run the provided proof-of-concept or test code that exercises the SStream_concat function with a malicious cs_vsnprintf implementation. There are no specific network detection commands since the vulnerability is local and requires local code execution or plugin loading. Example commands might include: 1) Cloning the Capstone repo and checking out the vulnerable version. 2) Compiling with ASan: `clang -fsanitize=address -g -o test test.c` 3) Running the test executable to observe crashes. This approach detects the vulnerability by triggering the unsafe behavior during execution rather than network scanning. [1, 2]