CVE-2017-10686
Last modified
CVE-2017-10686 is a vulnerability of currently unknown severity. In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. EPSS estimates a 2.95% chance of exploitation in the next 30 days.
Description
In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that could cause multiple damages. For example, it causes a corrupted double-linked list in detoken(), a double free or corruption in delete_Token(), and an out-of-bounds write in detoken(). It has a high possibility to lead to a remote code execution attack.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Nasm | Netwide Assembler | 2.14 | Rc0 |
| Canonical | Ubuntu Linux | 14.04 | — |
References
- https://bugzilla.nasm.us/show_bug.cgi?id=3392414Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry
- https://usn.ubuntu.com/3694-1/Third Party Advisory
- https://bugzilla.nasm.us/show_bug.cgi?id=3392414Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry
- https://usn.ubuntu.com/3694-1/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-10686?
How severe is CVE-2017-10686?
How do I fix CVE-2017-10686?
Are you affected by CVE-2017-10686?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST