Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
YARA Crashes on Malicious Files, Possibly Allowing Attackers to Crash or Take Control
USN-8080-1
Summary
Some versions of YARA, a tool used to detect malware, can crash if it processes specially crafted files. This could allow an attacker to temporarily disrupt the tool, or, in some cases, take control of the system. If you're using YARA on Ubuntu 16.04 or 18.04, update to the latest version to fix these issues.
What to do
- Update canonical yara to version 3.4.0+dfsg-2ubuntu0.1~esm1.
- Update canonical yara to version 3.7.1-1ubuntu2+esm1.
- Update canonical yara to version 3.9.0-1ubuntu0.1~esm1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | yara | <= 3.4.0+dfsg-2ubuntu0.1~esm1 | 3.4.0+dfsg-2ubuntu0.1~esm1 |
| canonical | yara | <= 3.7.1-1ubuntu2+esm1 | 3.7.1-1ubuntu2+esm1 |
| canonical | yara | <= 3.9.0-1ubuntu0.1~esm1 | 3.9.0-1ubuntu0.1~esm1 |
Original title
yara vulnerabilities
Original description
Kamil Frankowicz discovered that a number of YARA's functions
generated memory exceptions when processing specially crafted
rules or files. A remote attacker could possibly use these
issues to cause YARA to crash, resulting in a denial of
service. These issues only affected Ubuntu 16.04 LTS.
(CVE-2016-10211, CVE-2017-5923, CVE-2017-5924, CVE-2017-8294,
CVE-2017-8929, CVE-2017-9304, CVE-2017-9438, CVE-2017-9465)
Jurriaan Bremer discovered that YARA's yr_object_array_set_limit()
function could result in a heap buffer overflow when scanning
specially crafted .NET files. A remote attacker could possibly use
this issue to cause YARA to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11328)
It was discovered that YARA's yr_execute_code() function could
cause an out-of-bounds read or write when parsing specially crafted
compiled rule files. A remote attacker could possibly use these
issues to cause YARA to crash, resulting in a denial of service.
These issues only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-12034, CVE-2018-12035)
It was discovered that YARA's virtual machine could be escaped in
certain instances. A remote attacker could possibly use these issues
to execute arbitrary code. These issues only affected Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. (CVE-2018-19974, CVE-2018-19975,
CVE-2018-19976)
It was discovered that YARA's macho_parse_file() function would
generate an out-of-bounds memory access error when parsing a
specially crafted Mach-O file. A remote attacker could possibly use
this issue to cause YARA to crash, resulting in a denial of service,
or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS.
(CVE-2019-19648)
It was discovered that YARA's macho.c implementation contained several
overflow reads, which could be triggered when parsing specially
crafted Mach-O files. A remote attacker could possibly use this issue
to cause YARA to crash, resulting in a denial of service, or to learn
sensitive information. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-3402)
It was discovered that YARA's yr_set_configuration() function could
trigger a buffer overflow when parsing specially crafted rules. A
remote attacker could possibly use this issue to cause YARA to crash,
resulting in a denial of service. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-45429)
generated memory exceptions when processing specially crafted
rules or files. A remote attacker could possibly use these
issues to cause YARA to crash, resulting in a denial of
service. These issues only affected Ubuntu 16.04 LTS.
(CVE-2016-10211, CVE-2017-5923, CVE-2017-5924, CVE-2017-8294,
CVE-2017-8929, CVE-2017-9304, CVE-2017-9438, CVE-2017-9465)
Jurriaan Bremer discovered that YARA's yr_object_array_set_limit()
function could result in a heap buffer overflow when scanning
specially crafted .NET files. A remote attacker could possibly use
this issue to cause YARA to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11328)
It was discovered that YARA's yr_execute_code() function could
cause an out-of-bounds read or write when parsing specially crafted
compiled rule files. A remote attacker could possibly use these
issues to cause YARA to crash, resulting in a denial of service.
These issues only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2018-12034, CVE-2018-12035)
It was discovered that YARA's virtual machine could be escaped in
certain instances. A remote attacker could possibly use these issues
to execute arbitrary code. These issues only affected Ubuntu 16.04
LTS and Ubuntu 18.04 LTS. (CVE-2018-19974, CVE-2018-19975,
CVE-2018-19976)
It was discovered that YARA's macho_parse_file() function would
generate an out-of-bounds memory access error when parsing a
specially crafted Mach-O file. A remote attacker could possibly use
this issue to cause YARA to crash, resulting in a denial of service,
or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS.
(CVE-2019-19648)
It was discovered that YARA's macho.c implementation contained several
overflow reads, which could be triggered when parsing specially
crafted Mach-O files. A remote attacker could possibly use this issue
to cause YARA to crash, resulting in a denial of service, or to learn
sensitive information. This issue only affected Ubuntu 20.04 LTS.
(CVE-2021-3402)
It was discovered that YARA's yr_set_configuration() function could
trigger a buffer overflow when parsing specially crafted rules. A
remote attacker could possibly use this issue to cause YARA to crash,
resulting in a denial of service. This issue only affected Ubuntu
18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-45429)
- https://ubuntu.com/security/notices/USN-8080-1 Vendor Advisory
- https://ubuntu.com/security/CVE-2016-10211 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-5923 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-5924 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-8294 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-8929 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-9304 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-9438 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-9465 Third Party Advisory
- https://ubuntu.com/security/CVE-2017-11328 Third Party Advisory
- https://ubuntu.com/security/CVE-2018-12034 Third Party Advisory
- https://ubuntu.com/security/CVE-2018-12035 Third Party Advisory
- https://ubuntu.com/security/CVE-2018-19974 Third Party Advisory
- https://ubuntu.com/security/CVE-2018-19975 Third Party Advisory
- https://ubuntu.com/security/CVE-2018-19976 Third Party Advisory
- https://ubuntu.com/security/CVE-2019-19648 Third Party Advisory
- https://ubuntu.com/security/CVE-2021-3402 Third Party Advisory
- https://ubuntu.com/security/CVE-2021-45429 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026