CVE-2018-25258
Published: 12 April 2026
Summary
CVE-2018-25258 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in R Project (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25258 is a local buffer overflow vulnerability in RGui 3.5.0, the graphical user interface component of the R statistical computing environment for Windows. The flaw resides in the GUI preferences dialog, where attackers can supply malicious input to the "Language for menus and messages" field. This input triggers a stack-based buffer overflow, enabling structured exception handling (SEH) exploitation to bypass Data Execution Prevention (DEP) protections, followed by a return-oriented programming (ROP) chain that invokes VirtualAlloc for memory allocation and leads to arbitrary code execution. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker with unprivileged access to the system can exploit this vulnerability with low complexity. By crafting and entering the malicious string into the specified preferences field, the attacker triggers the overflow during dialog processing. This allows execution of a ROP chain to allocate executable memory and run arbitrary code, potentially granting full system compromise despite DEP mitigations. No special privileges or additional user interaction beyond accessing the preferences dialog are required.
Advisories and references, including a VulnCheck advisory detailing the RGui local buffer overflow with SEH DEP bypass, provide technical analysis of the issue. An exploit proof-of-concept is available at Exploit-DB (ID 46107), and the vulnerable R-3.5.0 Windows executable is hosted on the CRAN R-project archive, with the main R-project site at r-project.org offering context on the software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21770
Vulnerability details
RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger…
more
a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local stack buffer overflow in RGui enables SEH/ROP-based arbitrary code execution from unprivileged context, directly facilitating local privilege escalation to full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly eliminates the buffer overflow vulnerability in RGui by applying patches or upgrading to a non-vulnerable version.
Information input validation in the GUI preferences dialog prevents malicious strings from triggering the stack-based buffer overflow.
Memory protection mechanisms counter SEH exploitation and ROP chains used to bypass DEP and achieve arbitrary code execution.