HIGH 8.4

CVE-2018-25432: Arm Whois 3.11 Buffer Overflow Allows Local Code Execution

Arm Whois version 3.11 contains a buffer overflow flaw that allows attackers with local access to execute arbitrary code. The vulnerability stems from insufficient bounds checking when processing input, allowing an attacker to craft a specially crafted file that overwrites critical memory structures used by Windows exception handling. This hijacking of the structured exception handler (SEH) gives the attacker the ability to run malicious code with the privileges of the user running the application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft a malicious input file with a 672-byte offset to overwrite the nSEH and SEH pointers, enabling code execution through exception handler hijacking.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25432 is a stack-based buffer overflow in Arm Whois 3.11 affecting the application's input handling routine. The vulnerability exists due to improper validation of input length, permitting an attacker to write beyond allocated buffer boundaries at a 672-byte offset. By overwriting the Next SEH (nSEH) and SEH pointers on the stack, an attacker can redirect exception handling flow to attacker-controlled code. This technique, known as SEH-based exploitation, is a classic Windows privilege escalation and code execution vector that bypasses some conventional stack protection mechanisms. The flaw is classified under CWE-120 (Buffer Copy without Checking Size of Input), a category covering improper memory operations without proper length validation.

Business impact

The ability to achieve local code execution on systems running Arm Whois 3.11 poses a significant risk in environments where this tool is deployed. An attacker gaining code execution could steal sensitive data, modify system configuration, deploy malware, or establish persistence. While the vulnerability requires local access, it may be chained with other flaws in multi-stage attacks or exploited by insider threats. Organizations relying on Arm Whois for domain administration tasks should assess whether compromised systems could provide a foothold for lateral movement within their infrastructure.

Affected systems

Arm Whois version 3.11 is specifically affected. Organizations should inventory systems running this version to understand exposure scope. The local attack vector means that only systems where untrusted users can supply input files to Arm Whois, or where an attacker has already gained some level of system access, face direct risk. Legacy deployments and development environments may warrant higher priority assessment.

Exploitability

This vulnerability requires local access to be exploited; an attacker cannot trigger it remotely over a network. However, the attack complexity is low, meaning a straightforward malicious input file is sufficient to trigger the overflow without requiring special conditions or user interaction beyond running the application on the crafted file. The lack of authentication requirements (PR:N in the CVSS vector) means any local user can attempt exploitation. No known public exploit code was flagged in the KEV catalog at the time of this advisory, but the attack technique (SEH hijacking) is well-documented and feasible for a competent attacker.

Remediation

Upgrade Arm Whois to a patched version that includes bounds checking on input processing. Verify the specific patched version against the vendor advisory and test thoroughly in a non-production environment before deployment. If an immediate upgrade is not possible, restrict file processing permissions to trusted users only, disable Arm Whois if not actively required, and monitor system processes for unexpected code execution.

Patch guidance

Contact Arm or consult the official Arm Whois project repository for the latest patched version addressing this buffer overflow. Apply patches through your organization's standard change management process. Test the patched version against dependent systems and scripts before rolling out enterprise-wide. Verify that the patch version resolves CWE-120 input validation issues specific to Arm Whois 3.11.

Detection guidance

Monitor for execution of Arm Whois with suspicious or oversized input files, particularly those exceeding expected buffer sizes. Implement file integrity monitoring on Arm Whois binaries to detect tampering. Use endpoint detection and response (EDR) tools to identify abnormal process spawning or code execution originating from exception handler chains. Log and alert on structured exception handling anomalies or SEH pointer overwrites detected by security monitoring agents. File hashing and reputation checks on input files processed by Arm Whois can help identify known malicious payloads.

Why prioritize this

This vulnerability scores 8.4 (HIGH severity) and combines high-impact outcomes (complete system compromise via code execution) with low attack friction (no authentication, no user interaction needed). Although it requires local access, the simplicity of the exploitation method and the critical nature of unrestricted code execution justify swift remediation in any environment where Arm Whois is actively used. Prioritize systems processing untrusted input or in multi-user environments.

Risk score, explained

The CVSS 3.1 score of 8.4 reflects the combination of local attack surface (AV:L), low attack complexity (AC:L), absence of privilege requirements (PR:N), absence of user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This score indicates a serious flaw capable of full system compromise once an attacker gains local access. The absence of net-work exploitability prevents a critical rating, but the severity remains substantial.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2018-25432 requires local access to the affected system. An attacker must be able to supply a malicious input file to Arm Whois or already have command execution capabilities on the target machine. Network-based attacks are not possible.

What versions of Arm Whois are affected?

Version 3.11 of Arm Whois is confirmed to contain this vulnerability. Verify whether your organization uses this specific version and consult the vendor advisory to confirm the range of patched versions available.

Does this vulnerability impact Windows systems only?

The vulnerability exploits Windows structured exception handling (SEH), a mechanism specific to Windows. Systems running Arm Whois on non-Windows platforms (Linux, macOS) are not vulnerable to this specific SEH-based exploitation technique, though other versions or platforms may have distinct flaws.

What is the difference between nSEH and SEH pointers?

SEH (Structured Exception Handler) is a Windows mechanism for handling runtime exceptions. The SEH pointer points to the exception handler function. The nSEH (Next SEH) is a chain pointer to the next handler in the exception chain. By overwriting both, an attacker can hijack exception flow and redirect it to malicious code when an exception occurs.

This analysis is based on the published CVE record and CVSS scoring data as of the last update. Actual exploitation complexity and real-world risk may vary based on deployment context, access controls, and compensating security measures. Organizations should validate patch availability and compatibility with their specific Arm Whois deployment before applying updates. This document does not constitute legal or compliance advice. Always verify information against official vendor advisories and consult with your security team for organization-specific risk assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).