CVE-2025-1178 – GNU Binutils Memory Corruption Vulnerability in ld Component

Vulnerability

A memory corruption vulnerability has been identified in GNU Binutils version 2.43, specifically within the ld component's bfd_putl64 function in libbfd.c. This vulnerability allows for illegal write access, leading to a segmentation fault and a crash of the linker. The issue can be exploited remotely, although the complexity of the attack is considered high.

Impact

Exploitation of this vulnerability causes a segmentation fault due to illegal memory writes, leading to a crash of the affected application.

Reproduction

The vulnerability can be reproduced by building GNU Binutils 2.43 with AddressSanitizer enabled. After compiling the program, the ld command can be executed with the --version-exports-section and --shared options, along with a specially crafted input file that triggers the illegal memory access. The AddressSanitizer will report a segmentation fault, indicating the occurrence of the vulnerability.

Remediation

Users are advised to update to a version of GNU Binutils that includes the patch for this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Affected Products

GNU Binutils

Moderate fix1 remedy

cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*

Moderate fix1 remedy

2.43

CVSS Scores

volerion

8.9

CVSS 4.0

8.9

High

volerion

9.8

CVSS 3.1

9.8

Critical

Vendor

6.3

CVSS 4.0

6.3

Medium

Vendor

5.6

CVSS 3.1

5.6

Medium

Click a row to open the calculator.

References

https://security.netapp.com/advisory/ntap-20250411-0008/

AdvisoryBundleRemedy

https://sourceware.org/bugzilla/attachment.cgi?id=15914

Issue TrackingPermission Required

https://sourceware.org/bugzilla/show_bug.cgi?id=32638

Issue TrackingPermission RequiredVendor

https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75086e9de1707281172cc77f178e7949a4414ed0

Source CodeVendor

Showing 1-4 of 8 references

GNU Binutils Memory Corruption Vulnerability in ld Component