CVE-2021-46168
Description
Spin v6.5.1 has an out-of-bounds write in lex() due to improper bounds checking on scope_seq, causing crash via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spin v6.5.1 has an out-of-bounds write in lex() due to improper bounds checking on scope_seq, causing crash via crafted input.
Vulnerability
Affected versions: Spin version 6.5.1 (commit 045a0a5) contains an out-of-bounds write vulnerability in the lex() function within spinlex.c (line 1707). Specifically, the scope_seq array is declared with size 128, but the code increments scope_seq[scope_level++] without checking if scope_level exceeds 127. When a Spin Promela file contains 129 or more opening braces {, the scope_level index overflows the array, causing an out-of-bounds write. Additionally, if there are more closing braces } than opening ones, scope_level becomes negative, leading to writing before the array [1].
Exploitation
An attacker can trigger this vulnerability by providing a specially crafted Promela file to the spin parser. No authentication or special privileges are required; the attacker only needs to invoke the spin command-line tool on the malicious file. The issue is demonstrated with a PoC input containing multiple { characters. When parsed, the out-of-bounds write corrupts memory, and subsequently the fclose(yyin) call at main:1162 causes a segmentation fault [1].
Impact
Successful exploitation leads to a segmentation fault (crash) due to memory corruption. This could potentially be escalated to arbitrary code execution depending on the memory layout, but the reference only confirms a crash. The immediate impact is denial of service via application termination [1].
Mitigation
As of the reference date (January 2022), no official patch was available. Users should avoid parsing untrusted Spin Promela files with version 6.5.1. The issue was reported on GitHub [1], so users should monitor the Spin repository for a fix. No workaround is provided.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Spin/Spindescription
- Range: =6.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on `scope_level` when indexing the fixed-size `scope_seq[128]` array in `lex()` allows out-of-bounds write."
Attack vector
An attacker provides a specially crafted Promela (`.pml`) input file containing 129 or more consecutive `{` characters [ref_id=1]. When Spin processes this file, the `lex()` function increments `scope_level` past the 128-element `scope_seq` array and writes beyond its bounds [ref_id=1]. This out-of-bounds write corrupts the `yyin` file pointer, leading to a crash when `fclose(yyin)` is called later in `main()` [ref_id=1]. No authentication or special privileges are required — the attacker only needs to supply the malformed input file to the `spin` binary.
Affected code
The out-of-bounds write occurs in the `lex()` function in `spinlex.c` at line 1707 [ref_id=1]. The array `scope_seq[128]` is indexed by `scope_level` without bounds checking. When more than 128 `{` characters are encountered, `scope_level` exceeds the array size, causing an out-of-bounds write that corrupts adjacent memory, including the `yyin` file pointer [ref_id=1].
What the fix does
The advisory does not include a patch or official fix [ref_id=1]. The reporter suggests that a limit should be added to prevent `scope_level` from exceeding the array bounds or becoming negative [ref_id=1]. A proper fix would add a bounds check before accessing `scope_seq[scope_level]` in both the `{` and `}` cases, and either reject input that exceeds the maximum nesting depth or dynamically resize the array.
Preconditions
- inputAttacker must supply a .pml file with at least 129 consecutive '{' characters.
- inputThe spin binary must be invoked on the attacker-controlled file.
Reproduction
Create a file `poc.pml` containing 129 `{` characters (e.g., `{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{`). Run `./spin ./poc.pml`. The tool will report a syntax error and then crash with a segmentation fault [ref_id=1].
Generated on May 30, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/nimble-code/Spin/issues/56mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.