Skip to main content

Nasm

2 CVEs product

Monthly

CVE-2026-6068 CRITICAL PATCH Act Now

NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.

Denial Of Service Use After Free Memory Corruption Nasm
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-6067 MEDIUM PATCH This Month

Heap buffer overflow in Netwide Assembler (NASM) 3.02rc5 obj_directive() function enables arbitrary code execution and denial of service when processing maliciously crafted .asm files. Missing bounds validation allows attackers to corrupt heap memory through specially constructed assembly source files. Publicly available exploit code exists. Impacts NASM users assembling untrusted input files, particularly automated build systems and development environments processing external assembly code.

RCE Denial Of Service Buffer Overflow Memory Corruption Nasm
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

NASM up to version 3.02rc5 contains a heap use-after-free vulnerability in response file (-@) processing that allows remote attackers without authentication to cause data corruption or denial of service. The vulnerability arises from a dangling pointer stored in the global depend_file variable that is dereferenced after the response-file buffer has been freed. A proof-of-concept exploit exists, and CISA's SSVC framework rates this as automatable with partial technical impact, indicating moderate real-world risk despite the relatively modest CVSS score of 6.5.

Denial Of Service Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap buffer overflow in Netwide Assembler (NASM) 3.02rc5 obj_directive() function enables arbitrary code execution and denial of service when processing maliciously crafted .asm files. Missing bounds validation allows attackers to corrupt heap memory through specially constructed assembly source files. Publicly available exploit code exists. Impacts NASM users assembling untrusted input files, particularly automated build systems and development environments processing external assembly code.

RCE Denial Of Service Buffer Overflow +2
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy