CVE-2018-7548
Description
A NULL pointer dereference in zsh's subst.c when using ${(PA)...} on an empty array result leads to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in zsh's subst.c when using ${(PA)...} on an empty array result leads to denial of service.
Vulnerability
In zsh through version 5.4.2, the subst.c file contains a NULL pointer dereference when processing the ${(PA)...} parameter expansion on an empty array result. This flaw occurs because the code does not properly handle the case where the array expansion yields no elements, leading to a segmentation fault. The issue was introduced in an earlier version and affects all releases up to 5.4.2. [1]
Exploitation
An attacker can trigger this vulnerability by providing a crafted input that causes the ${(PA)...} expansion to operate on an empty array. This can be done through a script or command line that uses this specific expansion syntax. No special privileges are required beyond the ability to execute commands in zsh. The exploitation results in a crash of the shell, leading to a denial of service condition. [2][3]
Impact
Successful exploitation causes a denial of service through a NULL pointer dereference, crashing the zsh process. This could be used to disrupt user sessions or automated processes that rely on zsh. There is no evidence of code execution or privilege escalation from this vulnerability alone. [2][3]
Mitigation
The vulnerability is fixed in zsh version 5.5 and later. Users should upgrade to zsh 5.5 or apply the relevant patch from the official repository [1]. For distributions, updates are available as follows: Ubuntu released patches in USN-3593-1 for versions 5.4.2-3ubuntu3.1 (17.10) and others [2]; Gentoo recommends upgrading to >=app-shells/zsh-5.5 [3]. If upgrading is not immediately possible, avoid using ${(PA)...} on potentially empty arrays as a workaround.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A NULL pointer dereference occurs when using ${(PA)...} on an empty array result in zsh."
Attack vector
An attacker can trigger this vulnerability by providing an empty array result to the ${(PA)...} expansion in zsh. This specific expansion is used for parameter array expansion. When the array is empty, the code attempts to dereference a NULL pointer, leading to a crash. The vulnerability is present in zsh versions up to 5.4.2 [ref_id=1].
Affected code
The vulnerability resides in the `subst.c` file within the zsh source code. Specifically, it is triggered by the ${(PA)...} parameter array expansion when applied to an empty array. The commit that addresses this issue is identified as `110b13e1090bc31ac1352b28adc2d02b6d25a102` [ref_id=1].
What the fix does
The patch modifies the `subst.c` file to add a check for an empty array result before attempting to dereference the pointer. This prevents the NULL pointer dereference by ensuring that the operation is only performed when the array contains elements. The commit message indicates that this change avoids a NULL-pointer dereference when using ${(PA)...} on an empty array result [ref_id=1].
Preconditions
- inputThe zsh shell must be configured to use the ${(PA)...} expansion.
- inputThe expansion must be applied to an empty array.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- security.gentoo.org/glsa/201805-10mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/3593-1/mitrevendor-advisoryx_refsource_UBUNTU
- sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.