Description
Flat Assembler 1.71.21 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying oversized input to the application. Attackers can craft malicious assembly input exceeding 5895 bytes to overwrite the instruction pointer and execute return-oriented programming chains for shell command execution.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution (local)
Action: Apply patch
AI Analysis

Impact

Flat Assembler version 1.71.21 contains a stack‑based buffer overflow that allows a local attacker to supply input larger than 5895 bytes, overwriting the instruction pointer on the stack and enabling arbitrary code execution via return‑oriented programming chains. This flaw is a classic buffer overrun (CWE‑787) and can lead to denial of service or the execution of arbitrary shell commands on the machine where Flat Assembler runs.

Affected Systems

The affected product is Flat Assembler 1.71.21 from Flatassembler. No other affected versions are reported in the data.

Risk and Exploitability

The CVSS score of 8.6 signals a high severity vulnerability, but the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers would need local access to the target machine to provide malicious assembly input, so the primary attack vector is local. The exploit requires the attacker to run or influence Flat Assembler in a way that allows oversized input to be processed.

Generated by OpenCVE AI on April 2, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Flatassembler website or official advisories for a newer version that includes the fix and upgrade to it if available. If an update is not yet released, limit user privileges for running Flat Assembler and avoid processing untrusted input. Consider implementing application whitelisting or antivirus scanning to detect attempts to supply oversized assembly files.

Generated by OpenCVE AI on April 2, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flatassembler:flat_assembler:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Flatassembler
Flatassembler flat Assembler
Vendors & Products Flatassembler
Flatassembler flat Assembler

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description Flat Assembler 1.71.21 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying oversized input to the application. Attackers can craft malicious assembly input exceeding 5895 bytes to overwrite the instruction pointer and execute return-oriented programming chains for shell command execution.
Title Flat Assembler 1.71.21 Stack-Based Buffer Overflow ROP
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flatassembler Flat Assembler
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T17:22:57.095Z

Reserved: 2026-03-28T11:44:45.966Z

Link: CVE-2017-20228

cve-icon Vulnrichment

Updated: 2026-03-30T17:22:22.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:02.200

Modified: 2026-04-02T19:20:02.873

Link: CVE-2017-20228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:28Z

Weaknesses