Memory corruption flaws in NASM could crash your system or worse. Learn to check, patch, or restrict NASM on Ubuntu 22.04/24.04 with a ready-to-use script. Secure your dev environment today.
Keeping your development and build systems secure is a constant task. In May 2026, Canonical released a security notice (USN-8248-1) to address critical memory corruption issues in the Netwide Assembler (NASM) for Ubuntu 22.04 LTS and 24.04 LTS.
These vulnerabilities—including a heap buffer overflow (CVE-2023-31722) and memory leaks (CVE-2021-33450, CVE-2021-33452)—could allow attackers to crash the assembler or execute arbitrary code.
This guide remains useful for system administrators, security engineers, and developers to check, fix, and protect systems running NASM now and in the future.
How to Check if You Are Vulnerable
First, verify your NASM version. Open a terminal and run:
nasm --version
The output will look like NASM version X.XX.XX. Compare it with these fixed versions. If you see any of the following, your system is vulnerable:
Ubuntu 24.04 LTS: Fixed version is 2.16.01-1ubuntu0.1~esm1 or later.
Ubuntu 22.04 LTS: Fixed version is 2.15.05-1ubuntu0.1~esm1 or later.
Automation Script to Apply the Fix
To fully patch your system, update all packages. To make future checks easier, you can use this script to verify and update NASM across all your Ubuntu servers:
#!/bin/bash # NASM Security Vulnerability Check & Fix Script for Ubuntu LTS # Run with: chmod +x check_nasm.sh && sudo ./check_nasm.sh echo "[*] Checking for vulnerable NASM versions on Ubuntu..." # Determine Ubuntu release RELEASE=$(lsb_release -rs) # Check if NASM is installed INSTALLED_VERSION=$(nasm --version 2>/dev/null | awk '{print $3}') if [ -z "$INSTALLED_VERSION" ]; then echo "[!] NASM is not installed on this system. No action needed." exit 0 fi echo "[*] Found NASM version: $INSTALLED_VERSION" # Set required version based on Ubuntu release if [[ "$RELEASE" == "22.04" ]]; then REQUIRED_VERSION="2.15.05-1ubuntu0.1" echo "[*] Ubuntu 22.04 LTS detected." elif [[ "$RELEASE" == "24.04" ]]; then REQUIRED_VERSION="2.16.01-1ubuntu0.1" echo "[*] Ubuntu 24.04 LTS detected." else echo "[!] This script is for Ubuntu 22.04/24.04 LTS only." exit 1 fi # Compare version strings (simple check) if [[ "$INSTALLED_VERSION" < "$REQUIRED_VERSION" ]]; then echo "[!] Vulnerable version detected! Applying security fix..." sudo apt update sudo apt install --only-upgrade nasm -y echo "[+] NASM has been updated." else echo "[+] NASM version is up to date." fi echo "[*] Security check complete."
How to use it: Save the script as check_nasm.sh, give it execute permissions with chmod +x check_nasm.sh, and run it with sudo ./check_nasm.sh.
Create your own Laboratory
If you want to test security patches like this one before pushing them to your production servers, the smartest (and cheapest) setup is a dedicated security lab at home.
The hardware bundle that makes this dead simple is the CanaKit Raspberry Pi Starter Kit. It is the go-to foundation for building a security testing environment because it removes all the guesswork:
No hunting for parts: The kit includes everything in one box – the board, a preloaded microSD card, a power supply, and a case.
It's built for power users: The latest generation delivers 2-3x the CPU performance of the previous models, which means you can spin up multiple virtual machines or containers for a realistic lab.
Plug-and-play OS: The included microSD card comes pre-loaded with Raspberry Pi OS, so you can set up your lab in less than ten minutes. From there, you install tools like Kali Linux or Docker to replicate your exact production environment.
It pays for itself: Testing a patch on a dedicated device costs a fraction of what a single incident or recovery window would cost your organization.
Don’t risk breaking your production environment to test a fix. Build a dedicated lab. Get the complete CanaKit setup here .
Buy on Amazon (adversiting): https://amzn.to/4wie2QY
This post contains affiliate links. We may earn a commission on qualifying purchases.
Alternative Mitigation If You Can't Update Now
Sometimes, you cannot immediately update a system due to dependencies or maintenance windows. In such cases, you can reduce the risk with these workarounds:
1. Restrict NASM File System Access with AppArmor: Create a basic AppArmor profile to confine NASM. Create a file /etc/apparmor.d/usr.bin.nasm with:
#include <tunables/global>
/usr/bin/nasm {
#include <abstractions/base>
#include <abstractions/nameservice>
/usr/bin/nasm mr,
/usr/lib/nasm/** r,
/proc/*/maps r,
deny /tmp/** w,
deny /home/** w,
}
Then load the profile with sudo apparmor_parser -r /etc/apparmor.d/usr.bin.nasm. This prevents NASM from writing to sensitive directories.
2. Remove Execute Permissions: If NASM is not in active use, remove its execute bit for non-root users:
sudo chmod 750 /usr/bin/nasm
3. Network Isolation with iptables: If an exploit uses NASM to download additional payloads, you can block all outbound network connections for the user running NASM:
sudo iptables -A OUTPUT -o eth0 -m owner --uid-owner your_username -j DROP
Replace your_username with the actual user.
Conclusion
Memory corruption in developer tools like NASM is a serious threat. Don't wait for an incident. Run the automation script on your Ubuntu systems today, and if you can't patch, apply the alternate mitigations to buy time.
For safe learning, set up a Raspberry Pi lab to practice these commands and test further security measures. Your future self will thank you.
Nenhum comentário:
Postar um comentário