| Name | CVE-2025-8733 |
| Description | A flaw has been found in GNU Bison up to 3.8.2. This affects the function __obstack_vprintf_internal of the file obprintf.c. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been published and may be used. It is still unclear if this vulnerability genuinely exists. The issue could not be reproduced from a GNU Bison 3.8.2 tarball run in a Fedora 42 container. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1110610 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| bison (PTS) | bullseye | 2:3.7.5+dfsg-1 | vulnerable |
| forky, sid, bookworm, trixie | 2:3.8.2+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| bison | source | (unstable) | (unfixed) | unimportant | | 1110610 |
Notes
https://github.com/akimd/bison/issues/113
https://github.com/akimd/bison/issues/114
Crash in CLI tool, no security impact