Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT. https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Collin Funk writes that upstream successfully disputed the vulnerability: “ Yes, but I got sidetracked and completly forgot to update here. Sorry about that. They tagged the two CVEs as disuputed and mentioned that they could not be reproduced [1][2]. I assume other sites such as Red Hat's will be updated eventually to list the same [3]. VulnDB send a screenrecording from the original reporter where they ran 'bison' with all the POC files. They all Segmentation Fault, no failed assertions or anything like the original report say. Also, I realize now that obprintf.c is a glibc file. Gnulib (which is imported into Bison) only has obstack.c and obstack_printf.c. With that information, upon everything I mentioned in previous messages, I am fairly confident that these CVEs are bogus. Collin [1] https://www.cve.org/CVERecord?id=CVE-2025-8733 [2] https://www.cve.org/CVERecord?id=CVE-2025-8734 [3] https://access.redhat.com/security/cve/cve-2025-8733 ” <https://lists.gnu.org/archive/html/bug-bison/2025-08/msg00019.html>