CVE-2025-8735: 
Linux Debian vulnerability analysis and mitigation

A vulnerability classified as problematic was found in GNU cflow up to version 1.8. The vulnerability affects the yylex function in the c.c file of the Lexer component. The issue was discovered and disclosed on July 25, 2025, and was assigned CVE-2025-8735. The vulnerability requires local access to exploit (GNU Bug Report, VulDB).

The vulnerability is a null pointer dereference issue in the lexical analyzer (yylex()) function. When processing specially crafted C source files, the program attempts to dereference a null pointer at address 0x28, leading to a segmentation fault. The vulnerability occurs at c.c:1086 where the code executes 'yycurrentstate += YYATBOL()' without proper null pointer validation. The issue has been assigned CWE-476 (NULL Pointer Dereference) and CWE-404 (Improper Resource Shutdown or Release). The CVSS v3.1 base score is 3.3 (LOW) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GNU Bug Report, VulDB).

The vulnerability affects the availability of the system by causing an immediate segmentation fault when triggered. The impact is limited to local availability as the vulnerability requires local access to exploit. There are no direct impacts on confidentiality or integrity of the system (VulDB).

No official patches or mitigations have been released yet. The current recommendation is to consider replacing the affected software with an alternative product until a fix is available (VulDB).