CVE-2017-15939 — NULL Pointer Dereference in Binutils

CWE-476 — NULL Pointer Dereference8 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 43.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Binutils

Timeline

PublishedOct 27

Latest updateMay 14

Description

dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, mishandles NULL files in a .debug_line file table, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ELF file, related to concat_filename. NOTE: this issue is caused by an incomplete fix for CVE-2017-15023.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶Ubuntugnu/binutils< 2.26.1-1ubuntu1~16.04.8+esm1

▶NVDgnu/binutils2.29

Patches

Patch: blogs.gentoo.org ↗Patch: sourceware.org ↗Patch: blogs.gentoo.org ↗

🔴Vulnerability Details

GHSA

GHSA-pmp5-rw9v-rgv5: dwarf2↗2022-05-14

▶

CVEList

CVE-2017-15939: dwarf2↗2017-10-27

▶

OSV

CVE-2017-15939: dwarf2↗2017-10-27

▶

📋Vendor Advisories

Ubuntu

GNU binutils vulnerabilities↗2021-07-21

▶

Red Hat

binutils: NULL pointer dereference in the concat_filename↗2017-09-25

▶

Debian

CVE-2017-15939: binutils - dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distribute...↗2017

▶

💬Community

Bugzilla

CVE-2017-15939 binutils: NULL pointer dereference in the concat_filename↗2017-11-07

▶