A critical heap buffer overflow vulnerability (CVE-2026-6067) has been identified in Netwide Assembler (NASM) versions up to 3.02rc5. This flaw arises from insufficient bounds checking within the obj_directive() function. Successfully exploiting this vulnerability allows an attacker to assemble a specially crafted .asm file, leading to heap memory corruption and potentially enabling denial of service or arbitrary code execution.
The heap buffer overflow vulnerability in NASM poses a significant security risk. An attacker can leverage this flaw by providing a malicious .asm file as input to the assembler. This crafted file triggers the overflow, overwriting adjacent memory regions on the heap. This memory corruption can lead to a denial-of-service condition, causing NASM to crash and halting assembly processes. More critically, an attacker could potentially overwrite critical program data or control flow, enabling arbitrary code execution on the system running NASM. The impact is particularly severe in environments where NASM is used to assemble code for sensitive applications or systems, as a successful exploit could compromise the entire system.
CVE-2026-6067 was publicly disclosed on 2026-04-10. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for updates on exploitation attempts.
Exploit Status
EPSS
0.06% (20% percentile)
The primary mitigation for CVE-2026-6067 is to upgrade to a patched version of NASM. As of this writing, a patched version is not yet available. Until a patch is released, consider restricting the types of .asm files that NASM processes, particularly those originating from untrusted sources. Implement input validation to detect and reject potentially malicious assembly files. While not a direct fix, running NASM in a sandboxed environment can limit the potential impact of a successful exploit by isolating it from the rest of the system. Monitor system logs for unusual NASM activity or crashes, which could indicate an attempted exploitation.
Update to a patched version of NASM. The vulnerability is present in version 3.02rc5 and later versions are expected to contain the fix. Refer to the GitHub repository for more information and updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6067 is a heap buffer overflow vulnerability in NASM versions up to 3.02rc5. A malicious .asm file can trigger the overflow, potentially leading to denial of service or arbitrary code execution.
You are affected if you are using NASM version 3.02rc5 or earlier. Upgrade to a patched version when available to mitigate the risk.
Upgrade to a patched version of NASM. Until a patch is released, restrict processing of untrusted .asm files and monitor system logs.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-6067, but monitoring is advised.
Refer to the official NASM website and security mailing lists for updates and advisories regarding CVE-2026-6067.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.