CVE-2017-15938 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Binutils

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125 — Out-of-bounds Read8 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Binutils

Timeline

PublishedOct 27

Latest updateMay 14

Description

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Debiangnu/binutils< 2.29.90.20180122-1+3

▶NVDgnu/binutils2.29

Patches

Patch: blogs.gentoo.org ↗Patch: sourceware.org ↗Patch: blogs.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-whrg-9757-hqm7: dwarf2↗2022-05-14

▶

OSV

CVE-2017-15938: dwarf2↗2017-10-27

▶

CVEList

CVE-2017-15938: dwarf2↗2017-10-27

▶

📋Vendor Advisories

Ubuntu

GNU binutils vulnerabilities↗2021-07-21

▶

Red Hat

binutils: Invalid memory read in find_abstract_instance_name↗2017-10-24

▶

Debian

CVE-2017-15938: binutils - dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distribute...↗2017

▶

💬Community

Bugzilla

CVE-2017-15938 binutils: Invalid memory read in find_abstract_instance_name↗2017-11-21

▶