Login Sign Up

CVE-2025-68114

4.8 MEDIUM
Buffer Overflow

📋 TL;DR

This vulnerability in Capstone disassembly framework allows attackers to trigger stack buffer underflow or overflow by manipulating the vsnprintf return value through a malicious cs_opt_mem.vsnprintf callback. This could lead to memory corruption and potential code execution. Users of Capstone 6.0.0-Alpha5 and earlier versions are affected.

💻 Affected Systems

Products:
  • Capstone disassembly framework
Versions: 6.0.0-Alpha5 and earlier
Operating Systems: All platforms where Capstone is used
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires the cs_opt_mem.vsnprintf callback to be set to a malicious function, which typically requires attacker control over the application using Capstone.

📦 What is this software?

Capstone by Capstone Engine

View all CVEs affecting Capstone →

Capstone by Capstone Engine

View all CVEs affecting Capstone →

Capstone by Capstone Engine

View all CVEs affecting Capstone →

Capstone by Capstone Engine

View all CVEs affecting Capstone →

Capstone by Capstone Engine

View all CVEs affecting Capstone →

Capstone by Capstone Engine

View all CVEs affecting Capstone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable component processes untrusted input in a network-facing service.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption when processing maliciously crafted disassembly input.

🟢

If Mitigated

No impact if the vulnerable component doesn't process untrusted input or if proper input validation is implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires control over the cs_opt_mem.vsnprintf callback, which may require compromising the application using Capstone first.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 2c7797182a1618be12017d7d41e0b6581d5d529e

Vendor Advisory: https://github.com/capstone-engine/capstone/security/advisories/GHSA-85f5-6xr3-q76r

Restart Required: No

Instructions:

1. Update Capstone to a version containing commit 2c7797182a1618be12017d7d41e0b6581d5d529e
2. Rebuild any applications that link against Capstone
3. No service restart needed for library updates

🔧 Temporary Workarounds

Input validation

all

Validate all input passed to Capstone disassembly functions to prevent malicious callback manipulation

Sandbox Capstone usage

all

Run Capstone in isolated environments when processing untrusted input

🧯 If You Can't Patch

  • Implement strict input validation for all data passed to Capstone functions
  • Isolate Capstone usage to non-privileged processes and containers

🔍 How to Verify

Check if Vulnerable:

Check Capstone version: if using 6.0.0-Alpha5 or earlier, you are vulnerable

Check Version:

Check Capstone version in your application or run: cs_version() if using Capstone API

Verify Fix Applied:

Verify the commit 2c7797182a1618be12017d7d41e0b6581d5d529e is present in your Capstone source or check version is newer than 6.0.0-Alpha5

📡 Detection & Monitoring

Log Indicators:

  • Application crashes when processing disassembly
  • Memory corruption errors in application logs

Network Indicators:

  • Unusual disassembly requests to services using Capstone

SIEM Query:

Process crashes with memory corruption errors AND process uses Capstone library

📊 Metadata

CVE ID: CVE-2025-68114
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-120
EPSS Score: 0.03% exploit probability (8.8th percentile)
Published: December 17, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68114, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)