{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25258", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-12T12:13:36.489Z", "datePublished": "2026-04-12T12:28:44.496Z", "dateUpdated": "2026-04-13T18:06:18.442Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:44.496Z"}, "datePublic": "2019-01-10T00:00:00.000Z", "title": "RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass", "descriptions": [{"lang": "en", "value": "RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "affected": [{"vendor": "R-Project", "product": "RGui", "versions": [{"version": "3.5.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.6, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46107", "name": "ExploitDB-46107", "tags": ["exploit"]}, {"url": "https://www.r-project.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass"}], "credits": [{"lang": "en", "value": "bzyo", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25258", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:38:10.324387Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:06:18.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25258", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:38:10.324387Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:58:12.327Z"}}], "cna": {"title": "RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass", "credits": [{"lang": "en", "type": "finder", "value": "bzyo"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "R-Project", "product": "RGui", "versions": [{"status": "affected", "version": "3.5.0"}]}], "datePublic": "2019-01-10T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46107", "name": "ExploitDB-46107", "tags": ["exploit"]}, {"url": "https://www.r-project.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass", "name": "VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:44.496Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25258", "state": "PUBLISHED", "dateUpdated": "2026-04-13T18:06:18.442Z", "dateReserved": "2026-04-12T12:13:36.489Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-12T12:28:44.496Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution."}], "id": "CVE-2018-25258", "lastModified": "2026-04-15T15:00:32.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:31.740", "references": [{"source": "disclosure@vulncheck.com", "url": "https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46107"}, {"source": "disclosure@vulncheck.com", "url": "https://www.r-project.org/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.5.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "rgui", "vendor": "r-project"}], "analysis": {"en": {"generated_at": "2026-04-12T13:52:54.477177+00:00", "value": {"mitigation_remediation": ["Download and install the latest RGui release from the R\u2011Project website, which removes the vulnerable code.", "If an update cannot be applied, limit or revoke local user access to the RGui executable or uninstall the application entirely to prevent exploitation.", "Continuously monitor system logs for anomalous RGui activity and keep other system components patched to reduce the overall attack surface."], "summary": {"action": "Apply Patch", "impact": "Local Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects only the Windows 32\u2011bit or 64\u2011bit executable of RGui 3.5.0 distributed by the R\u2011Project. Earlier or later releases of RGui are not impacted.", "description_and_impact": "A stack\u2011based buffer overflow has been discovered in the Preferences dialog of RGui version 3.5.0. The flaw allows a local attacker who can manipulate the \"Language for menus and messages\" field to overwrite the stack, use a return\u2011oriented programming chain to allocate executable memory, and ultimately execute arbitrary code. The weakness is a classic buffer overflow that defeats DEP protections via structured exception handling exploitation.", "risk_and_exploitability": "The CVSS base score of 8.6 signals a high\u2011severity issue. No EPSS value is reported, and the vulnerability is not catalogued in the CISA KEV list. Because the exploit requires local access to the RGui application, the attack vector is local; however, once successfully exploited the adversary can take arbitrary code execution on the affected system, posing a severe risk to confidentiality, integrity, and availability. The lack of a KEV listing and unavailable EPSS score do not undercut the immediate threat posed by the high CVSS score and the potential for local code compromise."}}}}, "created": "2026-04-13T12:41:23.349103+00:00", "updated": "2026-04-13T12:56:02.416754+00:00", "vendors": ["r-project", "r-project$PRODUCT$rgui"]}