CVE-2026-6068 · NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the

01 · The Real Story

This is a booby-trapped compiler flag, not an open front door

CVE-2026-6068 is a heap use-after-free in NASM's -@ response-file handling: a pointer derived from the response-file buffer is stored in global depend_file, the backing buffer is freed, and the stale pointer is later dereferenced during command-line parsing. Public references confirm the bug in the -@ path and NVD currently enriches at least 3.02rc5 as affected; the full upstream affected range is not authoritatively published, so anything carrying the same code path should be treated as suspect until the project ships a fix.

The vendor's CRITICAL 9.6 framing overshoots reality for enterprise patch queues. The deciding friction is attacker position: NASM is a local assembler used on developer workstations and CI runners, so exploitation generally requires getting a victim build process to consume attacker-controlled response-file content or a malicious repository/build recipe first. That makes this a real supply-chain and build-host integrity problem, but not a mass internet-reachable emergency on the level implied by a network-preauth RCE score.

"Bad bug, wrong audience: this is a build-tool supply-chain risk, not a broad unauthenticated remote emergency"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land attacker-controlled build input

The attacker needs a path to influence NASM invocation inputs, typically by committing a malicious repo, poisoning a third-party dependency, or getting a developer/runner to fetch a crafted response file. The bug is triggered through NASM's -@ option, not through passive network exposure. Practically, this is a build-chain entry problem first and a memory-corruption problem second.

Conditions required:

Attacker can influence source tree, build scripts, or artifacts consumed by NASM
Victim environment actually uses NASM in its toolchain
Build process permits -@ response-file usage or equivalent attacker-controlled invocation path

Where this breaks in practice:

Most enterprise endpoints do not run NASM at all
Many CI systems build only trusted branches or reviewed merges
A malicious response file usually implies prior repo/dependency compromise or strong social engineering

Detection/coverage: SCA/SBOM tools can identify NASM presence, but generic vulnerability scanners will miss source-built copies and cannot prove the -@ path is reachable in your pipelines.

STEP 02

Trigger the dangling-pointer path with nasm -@

Using the -@ response-file mechanism described in issue #222, the attacker causes NASM to store a pointer into depend_file, free the backing buffer, and later reuse it. The public bug report maps the path through process_arg(), process_respfile(), and parse_cmdline(). This is reliable enough for a crash under ASan and is the concrete trigger defenders should care about.

Conditions required:

NASM binary or source tree contains the vulnerable code path
Victim invocation reaches the response-file parser
Inputs are shaped to keep the stale pointer relevant for later dereference

Where this breaks in practice:

Some environments never use response files
Wrapper scripts may sanitize arguments or pin fixed compiler options
Developer tooling often differs across teams, so exploit portability is limited

Detection/coverage: ASan builds will catch the UAF during testing; production builds usually won't. EDR may only see nasm crashing or behaving abnormally, which is weak signal.

STEP 03

Convert memory corruption into code execution on a build host

Project SEKAI claims the bug can be pushed from UAF to deterministic persistent RCE on unpatched NASM builds. If that holds in your environment, the attacker gains execution in the context of the developer workstation or CI runner account, which is often enough to steal secrets, tamper with artifacts, or plant backdoors in outputs. This is the main amplifier that keeps the CVE out of LOW severity.

Conditions required:

The public exploitation technique works against the target build and allocator behavior
Victim host executes NASM with attacker-controlled content
The NASM process has access to source, artifacts, or CI secrets worth stealing

Where this breaks in practice:

Exploit reliability beyond crash is publicly claimed by a researcher but not vendor-confirmed
Build runners may be ephemeral, sandboxed, or isolated from signing systems
Least-privilege CI identities and secret-scoping can sharply reduce blast radius

Detection/coverage: Behavioral EDR on build hosts can catch post-exploitation actions better than the memory bug itself. CI audit logs may show anomalous artifact changes, unexpected child processes, or secret-access spikes.

STEP 04

Abuse the build environment for downstream impact

Once code runs on the build host, the attacker can alter objects, patch generated binaries, exfiltrate signing material, or poison release outputs. That turns a narrow local parser bug into a software-supply-chain event. The business impact can be severe, but only for the subset of systems that both run NASM and process attacker-influenced builds.

Conditions required:

Compromised host can reach artifact stores, package registries, or signing workflows
Output from the affected build is trusted downstream
Change-review and reproducibility controls are weak enough to miss tampering

Where this breaks in practice:

Modern pipelines often separate build, signing, and release stages
Reproducible builds, attestations, and artifact diffing can expose manipulation
Many NASM uses are niche or internal and do not feed customer-facing software

Detection/coverage: Pipeline integrity tooling, artifact signing logs, and reproducibility checks are more useful here than network scanners.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence of active exploitation found in CISA KEV as of 2026-05-30; public discussion is researcher-led, not campaign-led. Source: CISA KEV catalog
Proof-of-concept / exploit status	Public bug report with reproducer attachment exists in netwide-assembler/nasm issue #222; Project SEKAI claims a path from UAF to persistent RCE.
EPSS	`0.00029` (about 0.029%) from the user-provided intel; that is extremely low and directionally consistent with a niche build-tool bug. EPSS methodology/API reference: FIRST EPSS and API docs
KEV status	Not listed in CISA KEV; no CISA due date exists. Source: KEV catalog
CVSS vector reality check	User-supplied vendor vector is `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` with 9.6 CRITICAL, but public distro/NVD enrichment currently shows a much lower `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N` 6.5 style assessment. Neither cleanly models the real attack path, which is better understood as attacker-controlled build input against a local CLI tool.
Affected versions	Authoritatively confirmed public affected range is unclear. NVD currently enriches at least `cpe:2.3:a:nasm:netwide_assembler:3.02:rc5:::::::*`; Debian and Ubuntu track the CVE but do not yet publish fixed package versions. Source: NVD, Ubuntu CVE page, Debian tracker
Fixed version	No authoritative patched version published in the sources reviewed. Upstream issue remained open in public references reviewed, and distro trackers show evaluation/vulnerable states rather than a shipped fix.
Exposure / scanning reality	No meaningful Shodan/Censys-style internet exposure story: NASM is a local x86 assembler CLI, not a listening network service. Exposure population is developer workstations, CI runners, and build containers that actually invoke NASM with attacker-influenced inputs (inference from product description on nasm.us).
Disclosure timeline	Public CVE publication: 2026-04-10. Researcher issue opened 2026-03-31. Research blog with RCE claim published 2026-05-18. Sources: NVD, issue #222, SEKAI blog
Reporter / coordinator	Bug reporter: GitHub user `BreakingBad6` / Project SEKAI researcher. CVE source listed by NVD as CERT/CC. Sources: issue #222, NVD

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The single biggest downgrading factor is attacker position: this is not something an unauthenticated internet attacker sprays across your estate; it requires a victim build pipeline or developer endpoint to process attacker-controlled NASM input. The blast radius can be serious where NASM sits in sensitive build chains, but the reachable population is small and heavily skewed toward already-compromised or socially engineered workflows.

HIGH Assessment that enterprise-wide exposure is narrow because NASM is a build tool, not a network service

MEDIUM Assessment that real-world exploitation usually requires prior repo/dependency influence or user-driven build execution

LOW Assessment of consistent RCE reliability across diverse production NASM builds

Why this verdict

Downgrade for attacker position: exploitation starts with control of build input, repository content, or response-file content; that is materially narrower than a true network-preauth service flaw.
Downgrade for exposure fraction: only systems that actually run NASM are in scope, and in most enterprises that is a tiny slice of developer workstations, CI runners, and niche build containers rather than 10,000 general endpoints.
Hold at MEDIUM because of supply-chain blast radius: if a sensitive CI runner or release workstation is hit, the attacker can tamper with artifacts or steal secrets, so this is still more than hygiene-level noise.

Why not higher?

There is no evidence here of broad internet reachability, wormability, or one-shot exploitation against common end-user/server software. Every practical attack chain assumes either attacker-controlled build input, social engineering, or an earlier compromise stage in the software supply chain, and each prerequisite compounds downward pressure on severity.

Why not lower?

The bug is still a memory-safety flaw in a trusted build component, and public research claims a path to code execution rather than a mere crash. On build hosts with access to source, package registries, or signing workflows, compromise can have outsized downstream impact even if the vulnerable population is small.

05 · Compensating Control

What to do — in priority order.

Block untrusted NASM builds on shared runners — Do not allow shared CI runners to build forks, external pull requests, or third-party source with NASM enabled unless the runner is fully isolated and ephemeral. Even though this is a MEDIUM and there is no mitigation SLA, do this in your next normal hardening cycle because it directly removes the attacker-controlled-input prerequisite.
Constrain CI identities and secrets — Scope tokens so NASM build jobs cannot read signing keys, production registries, or unrelated secrets. For a MEDIUM verdict there is no mitigation SLA, but reducing secret reach sharply limits the only scenario that makes this bug strategically dangerous: build-host compromise turning into supply-chain compromise.
Inventory and pin NASM instances — Find NASM on developer images, build containers, and self-hosted runners; pin approved versions and prevent ad hoc source builds where possible. With no mitigation SLA for MEDIUM, complete this as routine vulnerability management and be ready to swap in the vendor fix quickly once one exists.
Disable or lint response-file usage — If your build wrappers can do it, reject -@ response-file usage or require allowlisted, generated response files only. This directly targets the vulnerable parser path and is a practical temporary control until an upstream fix is available.
Increase build-host telemetry — Turn on process, child-process, file-write, and artifact-diff telemetry for build workers that run NASM. There is no mitigation SLA for MEDIUM, but better telemetry is the fastest way to catch the post-exploitation behaviors that matter more than the parser crash itself.

What doesn't work

Perimeter firewalls or WAFs do not help because NASM is not a network-facing service.
Generic vulnerability scans alone do not solve this because source-built NASM copies and custom CI containers are easy to miss.
MFA does not block the vulnerable code path once a malicious repository, dependency, or build input is already being processed.

06 · Verification

Crowdsourced verification payload.

Run this on the target developer workstation, CI runner, or build container that may invoke NASM. Save as check-nasm-cve-2026-6068.sh and run bash check-nasm-cve-2026-6068.sh with a normal user account; no root is required unless you want package-manager metadata from restricted locations.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-nasm-cve-2026-6068.sh
# Detect likely exposure to CVE-2026-6068 in NASM.
# Exit codes:
#   0 = PATCHED / not vulnerable by version heuristic
#   1 = VULNERABLE
#   2 = UNKNOWN
#   3 = NASM not installed

set -u

have_cmd() {
  command -v "$1" >/dev/null 2>&1
}

extract_version() {
  # Example: "NASM version 3.02rc7 compiled on ..."
  nasm -v 2>/dev/null | sed -nE 's/.*version[[:space:]]+([^[:space:]]+).*/\1/p' | head -n1
}

version_in_known_vuln_window() {
  local v="$1"
  case "$v" in
    3.02rc5|3.02rc6|3.02rc7) return 0 ;;
    *) return 1 ;;
  esac
}

source_pattern_present() {
  local f="$1"
  [ -f "$f" ] || return 1
  grep -q 'depend_file = q;' "$f" 2>/dev/null || return 1
  grep -q 'nasm_free(buffer);' "$f" 2>/dev/null || return 1
  grep -q 'strcmp(inname, depend_file)' "$f" 2>/dev/null || return 1
  return 0
}

if ! have_cmd nasm; then
  echo "UNKNOWN: NASM not found on PATH"
  echo "NOT_INSTALLED"
  exit 3
fi

VER="$(extract_version)"
if [ -z "$VER" ]; then
  echo "UNKNOWN: Could not parse NASM version"
  exit 2
fi

# Heuristic 1: publicly enriched NVD data confirms at least 3.02rc5,
# and public references reviewed do not disclose a fixed version.
if version_in_known_vuln_window "$VER"; then
  echo "VULNERABLE: NASM version $VER falls in the publicly known affected pre-release window"
  exit 1
fi

# Heuristic 2: if source tree is present, inspect for the vulnerable code pattern.
for candidate in \
  ./asm/nasm.c \
  /usr/src/*/asm/nasm.c \
  /usr/local/src/*/asm/nasm.c

do
  for f in $candidate; do
    if source_pattern_present "$f"; then
      echo "VULNERABLE: source pattern for CVE-2026-6068 found in $f"
      exit 1
    fi
  done
done

# If version is newer than the known vulnerable prerelease set we still may not know,
# because no authoritative fixed version was available in reviewed sources.
case "$VER" in
  3.02rc*|3.*|2.*)
    echo "UNKNOWN: NASM version $VER installed, but no authoritative fixed version was published in reviewed sources"
    exit 2
    ;;
  *)
    echo "PATCHED: NASM version $VER is outside the known vulnerable prerelease window and no source pattern was found"
    exit 0
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a fleetwide internet-fire drill. Instead, inventory where NASM exists, identify build systems that accept untrusted code or dependencies, and put temporary guardrails around -@ response-file use and shared CI runners. For a MEDIUM verdict there is noisgate mitigation SLA: no mitigation SLA — go straight to the 365-day remediation window; since no authoritative upstream fix was visible in the reviewed sources, use that window to track the vendor release, prep your package/container updates now, and deploy the real fix inside the noisgate remediation SLA of ≤365 days once it becomes available.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.