CVE-2019-25695
Received Received - Intake
Local Buffer Overflow in R 3.4.4 GUI Enables Code Execution

Publication date: 2026-04-12

Last updated on: 2026-04-12

Assigner: VulnCheck

Description
R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-12
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25695
EUVD
EUVD-2019-20130
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
r_project r 3.4.4
r_project r to 3.4.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25695 is a local buffer overflow vulnerability in R version 3.4.4 that occurs in the GUI Preferences language field. An attacker can inject a specially crafted payload with a 292-byte offset and a JMP ESP instruction into the "Language for menus and messages" field. When this payload is pasted and confirmed, it triggers a buffer overflow that allows the attacker to execute arbitrary code on the affected system.

The exploit involves overflowing a buffer by inputting 292 bytes of data, overwriting the return address with a JMP ESP instruction found in user32.dll, and then executing shellcode such as launching calc.exe as a proof of concept.

Impact Analysis

This vulnerability allows an attacker with local access to execute arbitrary code on the affected system without requiring privileges or user interaction. This means an attacker can run malicious commands or programs, potentially compromising the confidentiality, integrity, and availability of the system.

Because the exploit can execute code such as launching applications or potentially more harmful payloads, it can lead to unauthorized control over the system, data theft, data corruption, or denial of service.

Detection Guidance

This vulnerability is a local buffer overflow in R version 3.4.4 affecting the GUI Preferences language field. Detection involves verifying if the vulnerable R version is installed and checking if the malicious payload has been used in the 'Language for menus and messages' field.

Since the exploit requires local interaction with the R GUI, network detection is limited. On the system, you can check the installed R version by running the following command in R or a command prompt:

  • In R console: `R.version.string`
  • In Windows command prompt (if R is in PATH): `R --version`

Additionally, monitoring for suspicious clipboard activity or unexpected execution of programs like calc.exe after interacting with R's GUI Preferences could indicate exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability, immediately avoid using R version 3.4.4 on Windows XP SP3 or earlier versions that are vulnerable.

Do not paste untrusted or suspicious input into the 'Language for menus and messages' field in the GUI Preferences of R.

If possible, upgrade to a newer, patched version of R that does not contain this vulnerability.

Restrict local access to systems running vulnerable R versions to trusted users only.

Monitor for unusual behavior such as unexpected execution of applications (e.g., calc.exe) triggered by R.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart