High severity8.8NVD Advisory· Published Mar 16, 2017· Updated May 13, 2026
CVE-2017-6952
CVE-2017-6952
Description
Integer overflow in the cs_winkernel_malloc function in winkernel_mm.c in Capstone 3.0.4 and earlier allows attackers to cause a denial of service (heap-based buffer overflow in a kernel driver) or possibly have unspecified other impact via a large value.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
capstonePyPI | < 3.0.5rc2 | 3.0.5rc2 |
Affected products
1Patches
16fe86eef621bprovide a validity check to prevent against Integer overflow conditions (#870)
1 file changed · +11 −2
windows/winkernel_mm.c+11 −2 modified@@ -3,6 +3,7 @@ #include "winkernel_mm.h" #include <ntddk.h> +#include <Ntintsafe.h> // A pool tag for memory allocation static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC'; @@ -33,8 +34,16 @@ void * CAPSTONE_API cs_winkernel_malloc(size_t size) // FP; a use of NonPagedPool is required for Windows 7 support #pragma prefast(suppress : 30030) // Allocating executable POOL_TYPE memory - CS_WINKERNEL_MEMBLOCK *block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag( - NonPagedPool, size + sizeof(CS_WINKERNEL_MEMBLOCK), CS_WINKERNEL_POOL_TAG); + size_t number_of_bytes = 0; + CS_WINKERNEL_MEMBLOCK *block = NULL; + // A specially crafted size value can trigger the overflow. + // If the sum in a value that overflows or underflows the capacity of the type, + // the function returns NULL. + if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) { + return NULL; + } + block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag( + NonPagedPool, number_of_bytes, CS_WINKERNEL_POOL_TAG); if (!block) { return NULL; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/aquynh/capstone/commit/6fe86eef621b9849f51a5e1e5d73258a93440403nvdPatchWEB
- github.com/advisories/GHSA-3v99-hpv7-9hh9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6952ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/capstone/PYSEC-2017-113.yamlghsaWEB
- www.securityfocus.com/bid/97323nvd
News mentions
0No linked articles in our index yet.