Use-After-Free Vulnerability in GNU Bison by GNU
CVE-2020-24240

5.5MEDIUM

Key Information:

Vendor

Gnu
Status
Bison
Vendor
CVE Published:
25 August 2020

What is CVE-2020-24240?

GNU Bison, prior to version 3.7.1, contains a use-after-free vulnerability in the _obstack_free function within lib/obstack.c. This issue arises when a null byte ('\0') is encountered during processing, which may lead to unsafe behavior if Bison is utilized with untrusted input. While the issue primarily manifests as a crash in Bison itself, the specifics may vary depending on the compiler and architecture used. Mitigating actions should be taken when processing potentially malicious data to avoid exploitation of this vulnerability.

References

https://github.com/akimd/bison/commit/be95a4fe2951374676e...
x_refsource_MISC
https://lists.gnu.org/r/bug-bison/2020-07/msg00051.html
x_refsource_MISC
https://github.com/akimd/bison/compare/v3.7...v3.7.1
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.