CVE-2017-17818
Description
In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read that will cause a remote denial of service attack, related to a while loop in paste_tokens in asm/preproc.c.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer over-read in NASM 2.14rc0's paste_tokens allows denial of service via crafted file.
Vulnerability
A heap-based buffer over-read vulnerability exists in Netwide Assembler (NASM) version 2.14rc0, specifically in the paste_tokens function within asm/preproc.c. The issue occurs in a while loop that does not properly check bounds, leading to an out-of-bounds read. Affected versions include NASM 2.14rc0; earlier versions may also be vulnerable as per the advisory [1].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted source file to be processed by NASM. The user or automated system must open this file, triggering the heap-based buffer over-read. No authentication or special network position is required beyond delivering the malicious file.
Impact
Successful exploitation causes NASM to crash, resulting in a denial of service. The Ubuntu security notice also suggests that arbitrary code execution may be possible, though the CVE description primarily highlights denial of service [1]. The attacker could potentially execute arbitrary code in the context of the NASM process.
Mitigation
Ubuntu has released a fix in version 2.11.06-1ubuntu0.1 for Ubuntu 14.04 LTS. Users should update their NASM packages via standard system update procedures. No workarounds have been published; updating to the patched version is recommended [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15- osv-coords15 versionspkg:rpm/opensuse/nasm&distro=openSUSE%20Tumbleweedpkg:rpm/suse/firefox-atk&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-cairo&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gdk-pixbuf&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-glib2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-gtk3&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-harfbuzz&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-libffi-gcc5&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox-branding-SLED&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/nasm&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 2.15.05-1.6+ 14 more
- (no CPE)range: < 2.15.05-1.6
- (no CPE)range: < 2.26.1-2.8.4
- (no CPE)range: < 1.15.10-2.13.4
- (no CPE)range: < 2.36.11-2.8.4
- (no CPE)range: < 2.54.3-2.14.7
- (no CPE)range: < 3.10.9-2.15.3
- (no CPE)range: < 1.7.5-2.7.4
- (no CPE)range: < 3.2.1.git259-2.3.3
- (no CPE)range: < 5.3.1+r233831-14.1
- (no CPE)range: < 1.40.14-2.7.4
- (no CPE)range: < 68-21.9.8
- (no CPE)range: < 68.2.0-78.51.4
- (no CPE)range: < 4.21-29.6.1
- (no CPE)range: < 3.45-38.9.3
- (no CPE)range: < 2.14.02-4.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- bugzilla.nasm.us/show_bug.cginvdExploitIssue TrackingThird Party AdvisoryVDB Entry
- usn.ubuntu.com/3694-1/nvdThird Party Advisory
News mentions
0No linked articles in our index yet.