CVE-2025-8736: 
Linux Debian vulnerability analysis and mitigation

A critical buffer overflow vulnerability has been discovered in GNU cflow versions up to 1.8 (CVE-2025-8736). The vulnerability affects the yylex function in the c.c file of the Lexer component. The issue was disclosed on July 25, 2025, and was publicly announced on August 8, 2025. The vulnerability requires local access to exploit (GNU Bug Report, VulDB).

The vulnerability is caused by improper validation of array indices in the lexical analyzer function (yylex). When processing malformed C source files, the state machine becomes corrupted, leading to an out-of-bounds memory access. The vulnerability occurs at c.c:1091 where yy_accept[yy_current_state] is accessed without proper bounds checking. The CVSS v3.1 base score is 5.3 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input) (GNU Bug Report, NVD).

The exploitation of this vulnerability can lead to buffer overflow, resulting in segmentation faults and potential program crashes. When successfully exploited, it can cause out-of-bounds memory access, potentially leading to denial of service or arbitrary code execution in the context of the application (VulDB, GNU Bug Report).

As of the vulnerability disclosure, no official patch has been released for GNU cflow. Users are advised to monitor the GNU cflow bug tracker and mailing list for updates and patch availability (GNU Bug Report).