Platform
python
Component
capstone
Fixed in
3.0.5rc2
CVE-2017-6952 describes a buffer overflow vulnerability discovered in the Capstone disassembler, specifically within the cswinkernelmalloc function. This flaw can lead to a denial of service (DoS) condition, potentially impacting systems running vulnerable kernel drivers. The vulnerability affects versions of Capstone up to and including 3.0.4, with a fix available in version 3.0.5rc2.
An attacker exploiting CVE-2017-6952 can trigger a heap-based buffer overflow within the kernel driver when a large value is provided to the cswinkernelmalloc function. This overflow can overwrite adjacent memory regions, potentially leading to a system crash or denial of service. While the description notes the possibility of “unspecified other impact,” the primary and most likely consequence is a DoS. The vulnerability's location within a kernel driver suggests a potentially high impact, as successful exploitation could disrupt core system functionality. The ability to trigger this overflow depends on the attacker's ability to influence the value passed to cswinkernelmalloc, which may require specific interaction with the disassembler or its integration points.
CVE-2017-6952 was published on March 16, 2017. There is no indication of this vulnerability being actively exploited in the wild. The vulnerability is not listed on KEV (Kernel Exploit Vulnerability) and has a low EPSS (Exploit Prediction Scoring System) score, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not widely available, further reducing the immediate risk.
Exploit Status
EPSS
0.35% (57% percentile)
CVSS Vector
The primary mitigation for CVE-2017-6952 is to upgrade to Capstone version 3.0.5rc2 or later, which contains the fix for the integer overflow. If immediate upgrading is not feasible, consider implementing input validation on the value passed to cswinkernelmalloc to prevent excessively large values from being allocated. While a WAF or proxy is unlikely to directly mitigate this kernel-level vulnerability, restricting network access to the disassembler component could reduce the attack surface. After upgrading, confirm the fix by attempting to trigger the overflow with a large value and verifying that the allocation fails gracefully without causing a crash.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-6952 is a HIGH severity buffer overflow vulnerability in Capstone disassembler versions 3.0.4 and earlier. An integer overflow in the cswinkernelmalloc function can lead to a denial of service when processing large values.
You are affected if you are using Capstone disassembler version 3.0.4 or earlier. Check your version using capstone --version and upgrade if necessary.
Upgrade to Capstone version 3.0.5rc2 or later to resolve the vulnerability. If immediate upgrading isn't possible, implement input validation on values passed to cswinkernelmalloc.
There is currently no evidence of CVE-2017-6952 being actively exploited in the wild, and public POC code is limited.
Refer to the Capstone project's security advisories and the NVD entry for CVE-2017-6952 for official information: https://nvd.nist.gov/vuln/detail/CVE-2017-6952
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.