Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ispras/casr/llms.txt

Use this file to discover all available pages before exploring further.

CASR assigns every crash a severity class drawn from three ordered tiers — EXPLOITABLE, PROBABLY_EXPLOITABLE, and NOT_EXPLOITABLE — plus a catch-all UNDEFINED class for crashes that cannot be classified. The classification scheme mirrors the way security researchers manually triage crashes: the highest tier signals an immediate, high-confidence control-flow hijack risk, the middle tier requires additional analysis, and the lowest tier covers crashes that are still potentially harmful (e.g., denial-of-service) but lack direct evidence of exploitability.
The GDB-based severity classes (SegFaultOnPc, ReturnAv, BranchAv, CallAv, DestAv, and their tainted variants) are inspired by the open-source gdb-exploitable project originally authored by Jonathan Foote.

EXPLOITABLE

Crashes in this tier show direct evidence that an attacker can redirect control flow. They represent the highest-priority findings and should be investigated immediately.
Short DescriptionDescriptionExplanation
SegFaultOnPcSegmentation fault on program counterThe target tried to access data at an address that matches the program counter. This likely indicates that the program counter contents are tainted and can be controlled by an attacker.
ReturnAvAccess violation during return instructionThe target crashed on a return instruction, which likely indicates stack corruption.
BranchAvAccess violation during branch instructionThe target crashed on a branch instruction, which may indicate that the control flow is tainted.
CallAvAccess violation during call instructionThe target crashed on a call instruction, which may indicate that the control flow is tainted.
DestAvAccess violation on destination operandThe target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
BranchAvTaintedAccess violation during branch instruction from tainted sourceThe target crashed on loading from memory (SourceAv). After taint tracking, the target operand of the branch instruction could be tainted.
CallAvTaintedAccess violation during call instruction from tainted sourceThe target crashed on loading from memory (SourceAv). After taint tracking, the target operand of the call instruction could be tainted.
DestAvTaintedAccess violation on destination operand from tainted sourceThe target crashed on loading from memory (SourceAv). After taint tracking, the address operand of a memory store instruction could be tainted. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
heap-buffer-overflow(write)Heap buffer overflowThe target writes data past the end, or before the beginning, of the intended heap buffer.
global-buffer-overflow(write)Global buffer overflowThe target writes data past the end, or before the beginning, of the intended global buffer.
stack-use-after-scope(write)Use of out-of-scope stack memoryThe target crashed when writing on a stack address outside the lexical scope of a variable’s lifetime.
stack-use-after-return(write)Use of stack memory after returnThe target crashed when writing to a stack memory of a returned function.
stack-buffer-overflow(write)Stack buffer overflowThe target writes data past the end, or before the beginning, of the intended stack buffer.
stack-buffer-underflow(write)Stack buffer underflowThe target writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
heap-use-after-free(write)Use of deallocated memoryThe target crashed when writing to memory after it has been freed.
container-overflow(write)Container overflowThe target crashed when writing to memory inside the allocated heap region but outside of the current container bounds.
param-overlapOverlapping memory rangesCall to function disallowing overlapping memory ranges.

PROBABLY_EXPLOITABLE

Crashes in this tier may allow control-flow hijacking but require further (often manual) analysis to confirm. Common reasons include near-NULL addresses that could be either a NULL dereference or a low-address attacker-controlled write.
Short DescriptionDescriptionExplanation
BadInstructionBad instructionThe target tried to execute a malformed or privileged instruction. This may indicate that the control flow is tainted.
SegFaultOnPcNearNullSegmentation fault on program counter near NULLThe target tried to access data at an address that matches the program counter. This may indicate that the program counter contents are tainted, however it may also indicate a simple NULL dereference.
BranchAvNearNullAccess violation near NULL during branch instructionThe target crashed on a branch instruction. This may indicate tainted control flow, however there is a chance it could be a NULL dereference.
CallAvNearNullAccess violation near NULL during call instructionThe target crashed on a call instruction. This may indicate tainted control flow, however there is a chance it could be a NULL dereference.
HeapErrorHeap errorThe target program is aborted due to an error produced by heap allocator functions.
StackGuardStack buffer overflowThe target program is aborted due to stack cookie overwrite.
DestAvNearNullAccess violation near NULL on destination operandThe target crashed on a write access violation near NULL. This likely indicates a write AV, however there is a chance it could be a NULL dereference.
heap-buffer-overflowHeap buffer overflowThe target attempts to read or write data past the end, or before the beginning, of the intended heap buffer.
global-buffer-overflowGlobal buffer overflowThe target attempts to read or write data past the end, or before the beginning, of the intended global buffer.
stack-use-after-scopeUse of out-of-scope stack memoryThe target crashed when using a stack address outside the lexical scope of a variable’s lifetime.
use-after-poisonUsing poisoned memoryThe target crashed on trying to use memory that was previously poisoned.
stack-use-after-returnUse of stack memory after returnThe target crashed when using a stack memory of a returned function.
stack-buffer-overflowStack buffer overflowThe target attempts to read or write data past the end, or before the beginning, of the intended stack buffer.
stack-buffer-underflowStack buffer underflowThe target is using a buffer with an index or pointer that references a memory location prior to the beginning of the buffer.
heap-use-after-freeUse of deallocated memoryThe target crashed when using memory after it has been freed.
container-overflowContainer overflowThe target crashed when using memory inside the allocated heap region but outside of the current container bounds.
negative-size-paramUse of negative sizeNegative size used when accessing memory.
calloc-overflowCalloc parameters overflowOverflow in calloc parameters.
reallocarray-overflowRealloc parameters overflowOverflow in realloc parameters.
pvalloc-overflowPvalloc parameters overflowOverflow in pvalloc parameters.
overwrites-const-inputAttempt to overwrite constant inputFuzz target overwrites its constant input.

NOT_EXPLOITABLE

Crashes in this tier lack direct evidence of a control-flow hijack. They still warrant investigation — many represent denial-of-service conditions or information leaks — but are lower priority than the tiers above.
Short DescriptionDescriptionExplanation
SourceAvAccess violation on source operandThe target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
AbortSignalAbort signalThe target is stopped on a SIGABRT. SIGABRTs are often generated by libc and compiled check-code to indicate potentially critical conditions.
AccessViolationAccess violationThe target crashed due to an access violation but there is not enough additional information available to determine severity. Manual analysis is needed.
SourceAvNearNullAccess violation near NULL on source operandThe target crashed on a read access violation near NULL, which may mean the application crashed on a simple NULL dereference with no immediate effect on control of the processor.
SafeFunctionCheckSafe function check guardThe target program is aborted due to a safe function check guard: _chk().
FPEArithmetic exceptionThe target crashed due to an arithmetic floating point exception.
StackOverflowStack overflowThe target crashed on an access violation where the faulting instruction’s mnemonic and the stack pointer indicate a stack overflow.
double-freeDeallocation of freed memoryThe target crashed while trying to deallocate already freed memory.
bad-freeInvalid memory deallocationThe target crashed on attempting free on an address which was not malloc()-ed.
alloc-dealloc-mismatchInvalid use of alloc/dealloc functionsMismatch between allocation and deallocation APIs.
heap-buffer-overflow(read)Heap buffer overflowThe target reads data past the end, or before the beginning, of the intended heap buffer.
global-buffer-overflow(read)Global buffer overflowThe target reads data past the end, or before the beginning, of the intended global buffer.
stack-use-after-scope(read)Use of out-of-scope stack memoryThe target crashed when reading from a stack address outside the lexical scope of a variable’s lifetime.
stack-use-after-return(read)Use of stack memory after returnThe target crashed when reading from a stack memory of a returned function.
stack-buffer-overflow(read)Stack buffer overflowThe target reads data past the end, or before the beginning, of the intended stack buffer.
stack-buffer-underflow(read)Stack buffer underflowThe target reads from a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
heap-use-after-free(read)Use of deallocated memoryThe target crashed when reading from memory after it has been freed.
container-overflow(read)Container overflowThe target crashed when reading from memory inside the allocated heap region but outside of the current container bounds.
initialization-order-fiascoBad initialization orderInitializer for a global variable accesses a dynamically initialized global from another translation unit, which is not yet initialized.
new-delete-type-mismatchInvalid use of new/delete functionsDeallocation size different from allocation size.
bad-malloc_usable_sizeBad function useInvalid argument to malloc_usable_size.
odr-violationMultiple symbol definitionSymbol defined in multiple translation units.
memory-leaksMemory leaksThe target does not sufficiently track and release allocated memory after use, which slowly consumes remaining memory.
invalid-allocation-alignmentInvalid alignmentInvalid allocation alignment.
invalid-aligned-alloc-alignmentInvalid alignmentInvalid alignment requested in aligned_alloc.
invalid-posix-memalign-alignmentInvalid alignmentInvalid alignment requested in posix_memalign.
allocation-size-too-bigAllocation size too bigRequested allocation size exceeds maximum supported size.
out-of-memoryMemory limit exceededThe target has exceeded the memory limit.
fuzz target exitedFuzz target exitedFuzz target exited.
timeoutTarget timeout expiredTimeout after several seconds.
use-of-uninitialized-valueUse of uninitialized valueThe target attempted to access memory that was not initialized.

Supported Architectures

GDB-based severity estimation (taint-tracking classes such as BranchAvTainted, CallAvTainted, DestAvTainted, and PC-based classes) requires disassembly analysis. The following architectures are supported:
ArchitectureNotes
x8632-bit Intel/AMD
x86_6464-bit Intel/AMD (most common)
arm3232-bit ARM
aarch6464-bit ARM (ARM64)
rv32g32-bit RISC-V (general-purpose)
rv64g64-bit RISC-V (general-purpose)
Architecture detection uses the Architecture field in the .casrep report (populated from dpkg --print-architecture or equivalent). If the field is empty, CASR falls back to analysing the crash without architecture-specific taint tracking.

Reading Severity in a Report

Every .casrep file contains a CrashSeverity object with four fields that map directly to the tables above:
Open any .casrep file and locate the CrashSeverity object to see the full classification:
"CrashSeverity": {
  "Type": "EXPLOITABLE",
  "ShortDescription": "heap-buffer-overflow(write)",
  "Description": "Heap buffer overflow",
  "Explanation": "The target writes data past the end, or before the beginning, of the intended heap buffer."
}
FieldMaps to
TypeTier: EXPLOITABLE, PROBABLY_EXPLOITABLE, NOT_EXPLOITABLE, or UNDEFINED
ShortDescriptionThe class name used in the tables above
DescriptionHuman-readable one-line description
ExplanationFull technical explanation of what the crash indicates

Build docs developers (and LLMs) love