CVE-2025-67873
📋 TL;DR
Capstone disassembly framework versions 6.0.0-Alpha5 and prior contain a heap buffer overflow vulnerability in the disassembly path. An attacker can trigger this by providing malicious skipdata callback data, potentially leading to memory corruption. This affects any application or tool using vulnerable Capstone versions for binary analysis or reverse engineering.
💻 Affected Systems
- Capstone disassembly framework
📦 What is this software?
Capstone by Capstone Engine
Capstone by Capstone Engine
Capstone by Capstone Engine
Capstone by Capstone Engine
Capstone by Capstone Engine
Capstone by Capstone Engine
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the vulnerable component processes attacker-controlled binary data in a network-facing service.
Likely Case
Application crash (denial of service) or memory corruption leading to unstable behavior in tools using Capstone for disassembly.
If Mitigated
No impact if the vulnerable component is not exposed to untrusted input or if proper input validation is implemented at the application layer.
🎯 Exploit Status
Exploitation requires crafting malicious binary data that triggers the skipdata callback overflow. No public exploits have been reported as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit cbef767ab33b82166d263895f24084b75b316df3 and later versions
Vendor Advisory: https://github.com/capstone-engine/capstone/security/advisories/GHSA-hj6g-v545-v7jg
Restart Required: No
Instructions:
1. Update Capstone to a version containing commit cbef767ab33b82166d263895f24084b75b316df3 or later. 2. Recompile any applications using Capstone with the updated library. 3. Replace the Capstone library in deployed applications.
🔧 Temporary Workarounds
Disable skipdata callbacks
allAvoid using skipdata callbacks in cs_disasm or cs_disasm_iter functions if possible, as this is the vulnerable code path.
Modify application code to not use CS_OPT_SKIPDATA option or skipdata callbacks
🧯 If You Can't Patch
- Isolate applications using Capstone to prevent processing untrusted binary data
- Implement strict input validation and sanitization for any binary data passed to Capstone functions
🔍 How to Verify
Check if Vulnerable:
Check if your application uses Capstone version 6.0.0-Alpha5 or earlier, and if it uses skipdata callbacks with cs_disasm/cs_disasm_iter.Check Version:
Check Capstone version in your application's dependencies or run: pkg-config --modversion capstone (if installed system-wide)Verify Fix Applied:
Verify that Capstone has been updated to a version containing commit cbef767ab33b82166d263895f24084b75b316df3 or later.📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination when processing binary data
- Memory corruption errors in application logs
Network Indicators:
- Unusual binary data being sent to services that use Capstone for disassembly
SIEM Query:
Search for application crashes or memory violation errors in processes known to use Capstone library