CVE-2022-25462
Description
A segmentation fault in Yafu v2.0's avx-ecm component allows denial of service via a crafted factorization input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A segmentation fault in Yafu v2.0's avx-ecm component allows denial of service via a crafted factorization input.
Vulnerability
A segmentation fault exists in Yafu v2.0 within the vecsqrmod52 function in /factor/avx-ecm/vecarith52.c at line 14433. The crash occurs when the program attempts to factor a specific large number using the AVX-ECM module. The issue was reported by a user who merged all dependencies of Yafu and triggered the fault with the input factor(4233133576589787911052873395725373610641079968802963985967) [1]. The affected version is Yafu v2.0 with the AVX-ECM dependency integrated.
Exploitation
An attacker can cause a denial of service by providing the vulnerable Yafu binary with the specific large number as input to the factor() function. No authentication or special privileges are required if the tool is used on user-supplied data. The crash is reproducible and results in a segmentation fault, as confirmed by a GDB backtrace showing the signal SIGSEGV in thread executing vecsqrmod52 [1].
Impact
Successful exploitation leads to a denial of service (DoS) via a segmentation fault, causing the Yafu process to terminate abnormally. No other impact such as code execution or information disclosure is indicated in the available references.
Mitigation
No official fix has been released for this vulnerability as of the publication date. Users are advised to avoid factoring the specific number that triggers the crash or to use an alternative version of Yafu that does not include the vulnerable AVX-ECM component. The issue is tracked in the upstream repository [1] but no patch is currently available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Yafu/Yafudescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Out-of-bounds memory write in `vecsqrmod52` when processing a specific large integer, leading to a segmentation fault."
Attack vector
An attacker triggers the vulnerability by providing a specific large integer to the Yafu factoring engine. The proof-of-concept call is `factor(4233133576589787911052873395725373610641079968802963985967)`, which causes a segmentation fault in the AVX-ECM vector arithmetic routines [ref_id=1]. No authentication or special network access is required; the attacker simply supplies the crafted number as input to the factoring function.
Affected code
The crash occurs in `factor/avx-ecm/vecarith52.c` at line 14433, inside the function `vecsqrmod52`. The faulting instruction is `_mm512_store_epi64(s->data + (i * BLOCKWORDS + j) * VECLEN, a0)`, which writes to memory via a pointer derived from `s->data` [ref_id=1].
What the fix does
No patch is provided in the bundle. The issue was reported as a bug in the avx-ecm subcomponent, and the reporter notes that the crash occurs when factoring a specific number using the merged Yafu 2.0 dependencies [ref_id=1]. The advisory does not specify a remediation; users are advised to monitor the upstream repository for a fix.
Preconditions
- inputThe attacker must be able to supply an arbitrary integer to the Yafu factor() function.
- configThe vulnerable code path (AVX-ECM vector arithmetic) must be exercised during factorization.
Reproduction
Call `factor(4233133576589787911052873395725373610641079968802963985967)` in Yafu v2.0. The program will crash with a segmentation fault in `vecsqrmod52` at `factor/avx-ecm/vecarith52.c:14433` [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/bbuhrow/avx-ecm/issues/1mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.