VYPR
← All advisories
Moderate severityNVD Advisory· Published May 15, 2019· Updated Aug 6, 2024

CVE-2016-7151

CVE-2016-7151

Description

Capstone 3.0.4 has an out-of-bounds read in X86_insn_reg_intel, causing SEGV via specially crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Capstone 3.0.4 has an out-of-bounds read in X86_insn_reg_intel, causing SEGV via specially crafted input.

Vulnerability

Overview

CVE-2016-7151 describes an out-of-bounds read vulnerability in Capstone 3.0.4, a multi-architecture disassembly framework. The flaw resides in the X86_insn_reg_intel function within arch/X86/X86Mapping.c. A specially crafted binary input triggers a read memory access beyond the bounds of a data structure, leading to a segmentation fault (SEGV) as detailed in the official description [1].

Exploitation

Vector

An attacker can exploit this vulnerability by providing a malicious binary or code sequence to an application using the Capstone library for disassembly. The crash occurs during instruction printing via X86_Intel_printInst, which calls X86_insn_reg_intel at line 2784 of the mapping file. This was demonstrated through a fuzzing test case that reproduces the out-of-bounds access, as shown in the AddressSanitizer output [2]. The issue is a read-based memory corruption; no authentication is required as the vulnerability is triggered purely by processing untrusted input.

Impact

Successful exploitation results in a denial-of-service (DoS) condition via application crash. The SEGV can cause the host process to terminate, potentially affecting availability of services that rely on Capstone for binary analysis or reverse engineering. The vulnerability does not directly enable arbitrary code execution, but it can be leveraged to disrupt operation.

Mitigation

The vulnerability was addressed in a commit to the Capstone repository shortly after discovery [1]. Users should upgrade to a patched version (3.0.5 or later) that includes the fix merged via pull request #725 [2]. The Python advisory database for the capstone package marks this as a security fix (PYSEC-2019-242) [3]. No workaround is available aside from updating the library.

References
  1. NVD - CVE-2016-7151
  2. Fix oob in X86_insn_reg_intel by alvarofe · Pull Request #725 · capstone-engine/capstone
  3. advisory-database/vulns/capstone/PYSEC-2019-242.yaml at main · pypa/advisory-database

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
capstonePyPI
< 4.0.04.0.0

Affected products

2

Patches

1
87a25bb543c8

x86: fast path checking for X86_insn_reg_intel()

https://github.com/aquynh/capstoneNguyen Anh QuynhAug 27, 2016via ghsa
commit
1 file changed · +8 3
  • arch/X86/X86Mapping.c+8 3 modified
    @@ -2930,15 +2930,15 @@ static int regs_cmp(const void *a, const void *b)
 	return (l - r);
 }
 
-static bool intel_regs_sorted = false;
 // return register of given instruction id
 // return 0 if not found
 // this is to handle instructions embedding accumulate registers into AsmStrs[]
 x86_reg X86_insn_reg_intel(unsigned int id, enum cs_ac_type *access)
 {
+	static bool intel_regs_sorted = false;
 	unsigned int first = 0;
 	unsigned int last = ARR_SIZE(insn_regs_intel) - 1;
-	unsigned int mid = ARR_SIZE(insn_regs_intel) / 2;
+	unsigned int mid;
 
 	if (!intel_regs_sorted) {
 		memcpy(insn_regs_intel_sorted, insn_regs_intel,
@@ -2949,7 +2949,13 @@ x86_reg X86_insn_reg_intel(unsigned int id, enum cs_ac_type *access)
 		intel_regs_sorted = true;
 	}
 
+	if (insn_regs_intel_sorted[0].insn > id ||
+			insn_regs_intel_sorted[last].insn < id) {
+		return 0;
+	}
+
 	while (first <= last) {
+		mid = (first + last) / 2;
 		if (insn_regs_intel_sorted[mid].insn < id) {
 			first = mid + 1;
 		} else if (insn_regs_intel_sorted[mid].insn == id) {
@@ -2962,7 +2968,6 @@ x86_reg X86_insn_reg_intel(unsigned int id, enum cs_ac_type *access)
 				break;
 			last = mid - 1;
 		}
-		mid = (first + last) / 2;
 	}
 
 	// not found

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.