CVE-2025-8736: 
Linux Debian vulnerability analysis and mitigation

A critical buffer overflow vulnerability (CVE-2025-8736) has been discovered in GNU cflow up to version 1.8. The vulnerability affects the yylex function in the c.c file of the Lexer component. The issue was discovered and reported on July 25, 2025, by researchers Xudong Cao and Yuqing Zhang from UCAS and Zhongguancun Laboratory (GNU Mailing List).

The vulnerability occurs in the lexical analyzer's yylex() function when processing malformed C source files. The root cause is improper validation of array indices, leading to out-of-bounds memory access. The issue manifests when the yycurrentstate variable becomes corrupted with invalid values, which are then used as array indices into the yy_accept array without proper bounds checking. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM (VulDB).

The buffer overflow vulnerability affects the confidentiality, integrity, and availability of the system. When exploited, it can lead to segmentation faults and potential arbitrary code execution. The vulnerability requires local access to be exploited (VulDB).

Currently, there are no official patches or mitigations available for this vulnerability. It is recommended to consider replacing the affected software with an alternative product until a security update is released (VulDB).