CVE-2025-8734
GNU Bison scan-code.c code_free double free
Description
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Additional analysis indicates that the files referenced in the stack trace do not exist in Bison.
INFO
Published Date :
Aug. 8, 2025, 6:15 p.m.
Last Modified :
Nov. 4, 2025, 12:15 a.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 2.0 | LOW | [email protected] | ||||
| CVSS 3.1 | LOW | [email protected] | ||||
| CVSS 4.0 | MEDIUM | [email protected] |
Solution
- Update GNU Bison to a version later than 3.8.2.
- Review code for proper memory management in `code_free`.
- Apply security patches provided by the vendor.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-8734 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-8734 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Rejected by [email protected]
Nov. 04, 2025
Action Type Old Value New Value -
CVE Modified by [email protected]
Nov. 04, 2025
Action Type Old Value New Value Removed Tag VulDB: disputed Changed Description A vulnerability has been found in GNU Bison up to 3.8.2. This impacts the function code_free of the file src/scan-code.c. The manipulation leads to double free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The actual existence of this vulnerability is currently in question. The issue could not be reproduced from a GNU Bison 3.8.2 tarball run in a Fedora 42 container. Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: Additional analysis indicates that the files referenced in the stack trace do not exist in Bison. Removed CVSS V4.0 VulDB: AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Removed CVSS V3.1 VulDB: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Removed CVSS V2 VulDB: (AV:L/AC:L/Au:S/C:N/I:N/A:P) Removed CWE VulDB: CWE-119 Removed CWE VulDB: CWE-415 Removed Reference VulDB: https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link Removed Reference VulDB: https://github.com/akimd/bison/issues/115 Removed Reference VulDB: https://vuldb.com/?ctiid.319230 Removed Reference VulDB: https://vuldb.com/?id.319230 Removed Reference VulDB: https://vuldb.com/?submit.622300 Removed Reference VulDB: https://www.gnu.org/ Removed Reference CVE: https://www.openwall.com/lists/oss-security/2025/10/27/12 -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Oct. 28, 2025
Action Type Old Value New Value Added Reference https://www.openwall.com/lists/oss-security/2025/10/27/12 -
CVE Modified by [email protected]
Aug. 19, 2025
Action Type Old Value New Value Added Tag disputed Changed Description A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. A vulnerability has been found in GNU Bison up to 3.8.2. This impacts the function code_free of the file src/scan-code.c. The manipulation leads to double free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The actual existence of this vulnerability is currently in question. The issue could not be reproduced from a GNU Bison 3.8.2 tarball run in a Fedora 42 container. -
New CVE Received by [email protected]
Aug. 08, 2025
Action Type Old Value New Value Added Description A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. Added CVSS V4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Added CVSS V2 (AV:L/AC:L/Au:S/C:N/I:N/A:P) Added CWE CWE-119 Added CWE CWE-415 Added Reference https://drive.google.com/file/d/123Qe44FaC-GP88dWNl9-6H4jLWUcXYNZ/view?usp=drive_link Added Reference https://github.com/akimd/bison/issues/115 Added Reference https://vuldb.com/?ctiid.319230 Added Reference https://vuldb.com/?id.319230 Added Reference https://vuldb.com/?submit.622300 Added Reference https://www.gnu.org/