{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8734", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-08-08T07:57:09.262Z", "datePublished": "2025-08-08T18:02:07.827Z", "dateUpdated": "2025-08-08T18:14:20.867Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-08T18:02:07.827Z"}, "title": "GNU Bison scan-code.c code_free double free", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-415", "lang": "en", "description": "Double Free"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "GNU", "product": "Bison", "versions": [{"version": "3.8.0", "status": "affected"}, {"version": "3.8.1", "status": "affected"}, {"version": "3.8.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in GNU Bison bis 3.8.2 entdeckt. Es betrifft die Funktion code_free der Datei src/scan-code.c. Durch Beeinflussen mit unbekannten Daten kann eine double free-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-08-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-08-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-08-08T10:02:20.000Z", "lang": "en", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.319230", "name": "VDB-319230 | GNU Bison scan-code.c code_free double free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.319230", "name": "VDB-319230 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.622300", "name": "Submit #622300 | GNU Bison Bison the newest master(2ceaf03-Jul10 in https://cgit.git.savannah.gnu.org/cgit/bison.git) Memory Corruption Vulnerability (Double Free)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/akimd/bison/issues/115", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link", "tags": ["exploit"]}, {"url": "https://www.gnu.org/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-08T18:14:10.884718Z", "id": "CVE-2025-8734", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-08T18:14:20.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8734", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-08T18:14:10.884718Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-08T18:14:16.839Z"}}], "cna": {"title": "GNU Bison scan-code.c code_free double free", "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "GNU", "product": "Bison", "versions": [{"status": "affected", "version": "3.8.0"}, {"status": "affected", "version": "3.8.1"}, {"status": "affected", "version": "3.8.2"}]}], "timeline": [{"lang": "en", "time": "2025-08-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-08-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-08-08T10:02:20.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.319230", "name": "VDB-319230 | GNU Bison scan-code.c code_free double free", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.319230", "name": "VDB-319230 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.622300", "name": "Submit #622300 | GNU Bison Bison the newest master(2ceaf03-Jul10 in https://cgit.git.savannah.gnu.org/cgit/bison.git) Memory Corruption Vulnerability (Double Free)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/akimd/bison/issues/115", "tags": ["issue-tracking"]}, {"url": "https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link", "tags": ["exploit"]}, {"url": "https://www.gnu.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in GNU Bison bis 3.8.2 entdeckt. Es betrifft die Funktion code_free der Datei src/scan-code.c. Durch Beeinflussen mit unbekannten Daten kann eine double free-Schwachstelle ausgenutzt werden. Der Angriff hat dabei lokal zu erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "Double Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-08T18:02:07.827Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8734", "state": "PUBLISHED", "dateUpdated": "2025-08-08T18:14:20.867Z", "dateReserved": "2025-08-08T07:57:09.262Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-08-08T18:02:07.827Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used."}], "id": "CVE-2025-8734", "lastModified": "2025-08-08T20:30:18.180", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-08-08T18:15:29.527", "references": [{"source": "cna@vuldb.com", "url": "https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link"}, {"source": "cna@vuldb.com", "url": "https://github.com/akimd/bison/issues/115"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.319230"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.319230"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.622300"}, {"source": "cna@vuldb.com", "url": "https://www.gnu.org/"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-415"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{"bugzilla": {"description": "bison: Bison Double Free Vulnerability", "id": "2387304", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387304"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "(CWE-119|CWE-415)", "details": ["A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.", "A flaw was found in bison. The `code_free` function in `src/scan-code.c` is susceptible to a double-free condition due to improper memory management, allowing a local attacker to trigger a memory corruption issue. This manipulation occurs when processing specially crafted input, resulting in a potential denial of service. The vulnerability stems from issues related to buffer management and memory deallocation."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8734", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "bison", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "bison", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "bison", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "bison", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "bison", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-08-08T18:02:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8734\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8734\nhttps://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link\nhttps://github.com/akimd/bison/issues/115\nhttps://vuldb.com/?ctiid.319230\nhttps://vuldb.com/?id.319230\nhttps://vuldb.com/?submit.622300\nhttps://www.gnu.org/"], "threat_severity": "Low"}