CVE-2019-25051
Description
A heap-based buffer overflow in GNU Aspell 0.60.8's ObjStack class can be triggered via crafted input, leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in GNU Aspell 0.60.8's ObjStack class can be triggered via crafted input, leading to memory corruption.
Vulnerability
A heap-based buffer overflow exists in the ObjStack::dup_top function of GNU Aspell version 0.60.8, which is called from acommon::StringMap::add and acommon::Config::lookup_list. The overflow occurs because the allocation size is not checked against the remaining chunk space, allowing writes beyond the allocated buffer. The fix adds a check_size method that uses assert to ensure the size fits within a chunk [1]. The vulnerability was discovered through OSS-Fuzz [2].
Exploitation
An attacker can trigger this vulnerability by supplying a specially crafted input to Aspell that causes an overly large allocation request via the affected code paths. No authentication is required if the application processes attacker-controlled data (e.g., a document to spell-check). The bug manifests when the allocation size exceeds the available space in the current chunk, leading to a buffer overflow without any precondition on chunk size [1].
Impact
Successful exploitation results in a heap-based buffer overflow, which can corrupt adjacent memory. This can lead to a denial of service (crash) or potentially arbitrary code execution depending on the heap layout and system mitigations. Specific CIA outcomes are not detailed in the references, but heap overflows are generally exploitable for information disclosure or code execution.
Mitigation
The fix was committed to the Aspell repository in commit 0718b3754 [1]. Distributions such as Fedora released updated packages [3]. Users should upgrade to a patched version of Aspell (beyond 0.60.8) or apply the fix source code manually. There is no known workaround other than avoiding processing untrusted input with the vulnerable version.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- GNU Aspell/GNU Aspelldescription
- osv-coords23 versionspkg:rpm/almalinux/aspellpkg:rpm/almalinux/aspell-develpkg:rpm/opensuse/aspell&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/aspell&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/aspell&distro=openSUSE%20Tumbleweedpkg:rpm/suse/aspell&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/aspell&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/aspell&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/aspell&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/aspell&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/aspell&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 12:0.60.6.1-22.el8+ 22 more
- (no CPE)range: < 12:0.60.6.1-22.el8
- (no CPE)range: < 12:0.60.6.1-22.el8
- (no CPE)range: < 0.60.8-lp152.2.3.1
- (no CPE)range: < 0.60.8-3.3.1
- (no CPE)range: < 0.60.8-4.2
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.8-3.3.1
- (no CPE)range: < 0.60.8-3.3.1
- (no CPE)range: < 0.60.6-26.36.1
- (no CPE)range: < 0.60.6-26.36.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
- (no CPE)range: < 0.60.6.1-18.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A heap-based buffer overflow exists in the objstack implementation when allocating memory."
Attack vector
The vulnerability is triggered within the `acommon::ObjStack::dup_top` function, which is called by `acommon::StringMap::add` and `acommon::Config::lookup_list`. An attacker can exploit this by providing crafted input that leads to an oversized allocation request, causing the overflow. This overflow can corrupt heap metadata, potentially leading to a crash or arbitrary code execution.
Affected code
The vulnerability resides in the `acommon::ObjStack::dup_top` function, as well as other allocation functions like `alloc_bottom`, `alloc_top`, and `alloc_temp`. The patch modifies these functions by adding calls to `check_size` before performing allocations that could potentially lead to an overflow. Specifically, the `alloc_bottom`, `alloc_top`, and `alloc_temp` functions now include checks before `new_chunk()` is called.
What the fix does
The patch introduces a `will_overflow` function to check if a requested allocation size `sz` would exceed the current chunk size, considering the offset of the `data` field. A new `check_size` function asserts that the allocation will not overflow before proceeding. This prevents the heap-based buffer overflow by ensuring that allocation requests do not exceed available space within a chunk, thus avoiding the overflow condition.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H7E4EI7F6TVN7K6XWU6HSANMCOKKEREE/mitrevendor-advisoryx_refsource_FEDORA
- www.debian.org/security/2021/dsa-4948mitrevendor-advisoryx_refsource_DEBIAN
- bugs.chromium.org/p/oss-fuzz/issues/detailmitrex_refsource_MISC
- github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324amitrex_refsource_MISC
- github.com/google/oss-fuzz-vulns/blob/main/vulns/aspell/OSV-2020-521.yamlmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/07/msg00021.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.