CVE-2025-8733

NameCVE-2025-8733
DescriptionA flaw has been found in GNU Bison up to 3.8.2. This affects the function __obstack_vprintf_internal of the file obprintf.c. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been published and may be used. It is still unclear if this vulnerability genuinely exists. The issue could not be reproduced from a GNU Bison 3.8.2 tarball run in a Fedora 42 container.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110610

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bison (PTS)bullseye2:3.7.5+dfsg-1vulnerable
forky, sid, bookworm, trixie2:3.8.2+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bisonsource(unstable)(unfixed)unimportant1110610

Notes

https://github.com/akimd/bison/issues/113
https://github.com/akimd/bison/issues/114
Crash in CLI tool, no security impact

Search for package or bug name: Reporting problems