CVE-2025-8736

Name	CVE-2025-8736
Description	A vulnerability, which was classified as critical, has been found in GNU cflow up to 1.8. Affected by this issue is the function yylex of the file c.c of the component Lexer. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
cflow (PTS)	bullseye	1:1.6-4	vulnerable
	bookworm	1:1.7-4	vulnerable
	forky, sid, trixie	1:1.7-5	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
cflow	source	(unstable)	(unfixed)

Notes

[trixie] - cflow <no-dsa> (Minor issue)
[bookworm] - cflow <no-dsa> (Minor issue)
[bullseye] - cflow <ignored> (Crash in CLI tools)
https://lists.gnu.org/archive/html/bug-cflow/2025-07/msg00001.html