Platform
windows
Component
r-gui
Fixed in
3.5.1
CVE-2018-25258 describes a local buffer overflow vulnerability found in RGui versions 3.5.0 through 3.5.0. This flaw allows attackers to bypass Data Execution Prevention (DEP) protections through structured exception handling exploitation, potentially leading to arbitrary code execution. Successful exploitation requires local access and crafted input within the GUI preferences dialog's Language field.
An attacker can exploit this vulnerability by crafting malicious input within the 'Language for menus and messages' field of the RGui GUI preferences dialog. This crafted input triggers a stack-based buffer overflow, allowing the attacker to bypass DEP protections. The vulnerability enables the execution of a Return-Oriented Programming (ROP) chain for VirtualAlloc allocation, ultimately granting the attacker arbitrary code execution on the affected system. This could lead to complete system compromise, data theft, or the installation of malicious software.
CVE-2018-25258 has been publicly disclosed. While no active exploitation campaigns are currently known, the vulnerability's potential for arbitrary code execution and the availability of DEP bypass techniques make it a potential target. No KEV listing is present. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the availability of DEP bypass techniques.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2018-25258 is to upgrade to a patched version of RGui. Unfortunately, no patched version is currently available in the provided data. As a temporary workaround, restrict access to the RGui preferences dialog to trusted users only. Consider implementing input validation on the 'Language for menus and messages' field to prevent excessively long strings. While not a complete solution, this can reduce the attack surface. After upgrading (when available), confirm the fix by attempting to trigger the overflow with a known malicious input string and verifying that the application does not crash or exhibit unexpected behavior.
Update to a patched version of RGui. Version 3.5.0 is the last affected version, so updating to a later version is recommended if available. Check the R project website for more information about updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2018-25258 is a buffer overflow vulnerability in RGui versions 3.5.0–3.5.0. Malicious input can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution.
You are affected if you are using RGui version 3.5.0–3.5.0 and have not upgraded to a patched version (currently unavailable).
Upgrade to a patched version of RGui. Until a patch is released, restrict access to the preferences dialog and implement input validation.
No active exploitation campaigns are currently known, but the vulnerability's potential makes it a possible target.
Official RGui advisories are not readily available; monitor security news sources for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.