CVE-2025-8734: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-8734) has been identified in GNU Bison up to version 3.8.2. The vulnerability affects the code_free function in the src/scan-code.c file, where a double free condition can occur. The issue was discovered and publicly disclosed on August 8, 2025 (NVD, Debian).

The vulnerability manifests as a double free error in the heap management system, specifically in the code scanner buffer management. The issue occurs in the codefree function at src/scan-code.c:2597 and is triggered through the code_delete_buffer function at src/scan-code.c:2086. The vulnerability has been assigned CVSS v4.0 score of 4.8 (MEDIUM) with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, and CVSS v3.1 score of 3.3 (LOW) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (VulDB).

When exploited, this vulnerability leads to heap corruption and program crash through a double free condition. The attack requires local access to be executed. While the direct impact appears to be limited to availability (program crash), the nature of memory corruption vulnerabilities means there could be potential for more severe exploitation (GitHub).

As of the latest reports, the vulnerability remains unpatched in GNU Bison version 3.8.2. The issue affects multiple distributions including Debian's bullseye, forky, sid, bookworm, and trixie releases. Users are advised to monitor for updates and apply patches when they become available (Debian).

The vulnerability was discovered and reported by security researchers Xudong Cao (UCAS) and Yuqing Zhang (UCAS, Zhongguancun Laboratory). The issue has been documented in detail on GitHub, where it has garnered attention from the development community (GitHub).