GNU
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any GNU product.
RSS Feeds for GNU security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in GNU products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by GNU Sorted by Most Security Vulnerabilities since 2018
Known Exploited GNU Vulnerabilities
The following GNU vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| GNU InetUtils Argument Injection Vulnerability |
GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. CVE-2026-24061 Exploit Probability: 98.9% |
January 26, 2026 |
| GNU Bash OS Command Injection Vulnerability |
GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment. CVE-2014-6278 Exploit Probability: 99.6% |
October 2, 2025 |
| GNU C Library Buffer Overflow Vulnerability |
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to execute code with elevated privileges. CVE-2023-4911 Exploit Probability: 81.4% |
November 21, 2023 |
| GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. CVE-2014-6271 Exploit Probability: 100.0% |
January 28, 2022 |
| GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vulnerability in CVE-2014-6271. CVE-2014-7169 Exploit Probability: 99.9% |
January 28, 2022 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 57 vulnerabilities in GNU with an average score of 5.9 out of ten. Last year, in 2025 GNU had 92 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GNU in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.47.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 57 | 5.86 |
| 2025 | 92 | 5.39 |
| 2024 | 33 | 6.83 |
| 2023 | 78 | 6.93 |
| 2022 | 51 | 7.18 |
| 2021 | 87 | 7.24 |
| 2020 | 54 | 6.38 |
| 2019 | 83 | 7.18 |
| 2018 | 77 | 6.54 |
It may take a day or so for new GNU vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent GNU Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-40553 | Jul 13, 2026 |
gawk <5.4.0 Buffer Overflow (ftype)Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-40469 | Jul 13, 2026 |
Integer Overflow in Builtin.c of gawk 5.4.0 (32bit)Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below. |
|
| CVE-2026-40468 | Jul 13, 2026 |
gawk Integer Overflow in builtin.c (<=5.4.0)Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-40467 | Jul 13, 2026 |
Gawk Use After Free in io.c (do_getline_redir) - Before 5.4.0Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). This issue may lead to a crash. It affects gawk in versions 5.4.0 and below. |
|
| CVE-2026-15520 | Jul 13, 2026 |
LibreDWG 0.13.4 R2004 Decompression Buffer Overflow (before 0.14.8396)A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035. This impacts the function decompress_R2004_section of the file src/decode.c of the component R2004 Section Decompression. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.14.8396 will fix this issue. This patch is called 3d0f9fc2eddbd6579c99af3111c37c98f03475d0. You should upgrade the affected component. |
|
| CVE-2026-15146 | Jul 10, 2026 |
SSRF via Unvalidated FTP PASV IP in GNU Wget <1.25.0GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wgets data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources. |
|
| CVE-2026-15184 | Jul 09, 2026 |
Nullptr Deref in LibreDWG DWG Handler (0.13.4) Local ExploitA vulnerability was found in GNU LibreDWG up to 0.13.4. The impacted element is the function dwg_next_entity of the file src/dwg.c of the component DWG File Handler. Performing a manipulation of the argument next_obj results in null pointer dereference. The attack must be initiated from a local position. The exploit has been made public and could be used. Upgrading to version 0.14 is sufficient to resolve this issue. The patch is named dde45dac3c4d902e4d8fed150a8017b9732019c9. Upgrading the affected component is recommended. Different than CVE-2026-9503. |
|
| CVE-2026-15182 | Jul 09, 2026 |
Heap Overflow in LibreDWG 0.13.4 BMP Image HandlerA vulnerability has been found in GNU LibreDWG up to 0.13.4. The affected element is the function dwg_bmp of the file src/dwg.c of the component BMP Image Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.14 is sufficient to fix this issue. The name of the patch is 18fd542bb4d5ccedf9de12052bf50068b2b26f06. It is suggested to upgrade the affected component. |
|
| CVE-2026-56289 | Jul 09, 2026 |
DoS in GNU Patch via Unrealistic Hunk OffsetsGNU patch is vulnerable to a denial of service (DoS) due to improper validation of hunk (single block of changes in diff) line offsets in unified-diff input. A specially crafted patch can specify an extremely large line number, causing the application to enter an effectively infinite processing loop while attempting to locate the requested position. This results in excessive CPU consumption and prevents the process from completing. An attacker can trigger this behavior by supplying a malicious patch file, causing the utility to become unresponsive and require manual termination. This issue has been fixed in the commit faba04ef4f2b410257f76c1b9dc85e350929c4b9 |
|
| CVE-2026-56288 | Jul 09, 2026 |
Null Pointer Dereference in GNU Patch (CVE-2026-56288)GNU patch is vulnerable to a NULL pointer dereference when processing a specially crafted unified-diff patch file. Improper handling of consecutive end-of-file newline markers can corrupt internal hunk (single block of changes in diff) data structures, causing the application to pass a NULL pointer to fwrite() during patch processing. An attacker can trigger this condition with a malicious patch file, causing the utility to crash and resulting in a denial of service. This issue has been fixed in the commit e6d6a4e021660679d7fc9150f981d4920f722313 |
|
| CVE-2026-58472 | Jul 07, 2026 |
Heap Buffer Overflow in GNU Wget 1.25.0 html_quote_string() (convert.c)GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase. |
|
| CVE-2026-58471 | Jul 07, 2026 |
GNU Wget 1.25.0 Heap Buffer Overflow (convert_fname)GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response. |
|
| CVE-2026-58470 | Jul 07, 2026 |
Wget 1.25.0 Integer Overflow in parse_content_range()GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client. |
|
| CVE-2026-58469 | Jul 07, 2026 |
GNU Wget <1.25.0 Heap Buffer Underread in clean_metalink_stringGNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior. |
|
| CVE-2026-41992 | Jun 29, 2026 |
GNU gzip LZH buffer overflow via global state reuseGNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an outofbounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681 |
|
| CVE-2026-41991 | Jun 29, 2026 |
GNU gzip gzexe TOCTOU File Overwrite via SymlinkGNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the users PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can precreate the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a timeofcheck to timeofuse (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 |
|
| CVE-2026-57053 | Jun 23, 2026 |
GNU libidn <1.44 OOB Read in ToUnicode APIGNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idna_to_unicode_internal. The affected code is not present in libidn2. |
|
| CVE-2026-56968 | Jun 23, 2026 |
GNU SASL <2.2.4 NTLM Challenge Sanitization Flaw (Memory Disclosure)GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server. |
|
| CVE-2026-56355 | Jun 20, 2026 |
Auth Bypass via Untrusted Data in Savane <=3.17 (CVE-2026-56355)GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization. |
|
| CVE-2026-9605 | May 26, 2026 |
Heap Buffer Overflow in GNU libredwg 0.13.4.8160 (Dwgbmp Utility)A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue. |
|
| CVE-2026-9530 | May 26, 2026 |
OOB Read in GNU LibreDWG (pre-0.14) Dwgbmp UtilityA weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue. |
|
| CVE-2026-9529 | May 26, 2026 |
Local Null Dereference in LibreDWG<0.14 match_BLOCK_HEADER (Dwggrep)A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. |
|
| CVE-2026-9504 | May 25, 2026 |
LibreDWG <=0.14 OOBR in Dwggrep::bit_convert_TUA weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue. |
|
| CVE-2026-9503 | May 25, 2026 |
LibreDWG 0.14 Null Deref in dwg_next_entity (Local)A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised. |
|
| CVE-2026-9502 | May 25, 2026 |
Heap Buffer Overflow in GNU LibreDWG Dwgread <=0.14A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch. |
|
| CVE-2026-9501 | May 25, 2026 |
LibreDWG <=0.14 DEP Assertion via decompress_R2004_section Local OnlyA vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue. |
|
| CVE-2026-9500 | May 25, 2026 |
LibreDWG<=0.14: heap-based buffer overflow in read_2004_compressed_sectionA vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. |
|
| CVE-2026-48829 | May 24, 2026 |
GNU SASL <2.2.3 Null Pointer Deref in DIGEST-MD5 ComponentIn GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c. |
|
| CVE-2026-1858 | Apr 29, 2026 |
wget2 TLS Cert Validation Bypass: Key Usage/EKU Mismatchwget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication. |
|
| CVE-2026-6238 | Apr 28, 2026 |
glibc 2.2+ RDATA len validate flaw in deprec DNS funcsThe deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. |
|
| CVE-2026-40556 | Apr 28, 2026 |
GNU nano <9.0: worldwritable ~/.local created by 0777 mode |
|
| CVE-2026-5435 | Apr 28, 2026 |
glibc v2.2+ OOB Write via Deprecated DNS Print FunctionsThe deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records. |
|
| CVE-2026-5450 | Apr 20, 2026 |
glibc 2.7-2.43 %mc scanf causes 1byte heap overflowCalling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. |
|
| CVE-2026-5928 | Apr 20, 2026 |
glibc <=2.43 ungetwc Buffer Under-Read via _IO_wdefault_pbackfailCalling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. |
|
| CVE-2026-5958 | Apr 20, 2026 |
sed 4.9-: In-Place Edit + --follow-symlinks Race -> Arbitrary File Overwrite (CVE-2026-5958)When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10. |
|
| CVE-2026-4046 | Mar 30, 2026 |
Crash via iconv() in glibc <=2.43 with IBM139x charsetsThe iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. |
|
| CVE-2026-4438 | Mar 20, 2026 |
glibc 2.342.43 DNS hostname violation via gethostbyaddrCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification. |
|
| CVE-2026-4437 | Mar 20, 2026 |
glibc 2.342.43 DNS Spec Violation via gethostbyaddrCalling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. |
|
| CVE-2025-69720 | Mar 19, 2026 |
ncurses 6.4-6.5 Buffer Overflow in infocmp.c analyze_string()The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c. |
|
| CVE-2026-32772 | Mar 13, 2026 |
GNU Inetutils <=2.7 Telnet Read Env via NEW_ENVIRON SEND USERVARtelnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR. |
|
| CVE-2026-32746 | Mar 13, 2026 |
GNU inetutils telnetd OOB write via LINEMODE SLC before 2.8telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. |
|
| CVE-2026-3904 | Mar 11, 2026 |
glibc 2.35-2.36 nscd crash via memcmp UB on x86_64Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue. However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well. Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client. |
|
| CVE-2025-69648 | Mar 09, 2026 |
GNU Binutils 2.45.1 readelf DoS via malformed DWARF .debug_rnglistsGNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. A logic flaw in the DWARF parsing path causes readelf to repeatedly print the same warning message without making forward progress, resulting in a non-terminating output loop that requires manual interruption. No evidence of memory corruption or code execution was observed. |
|
| CVE-2025-69647 | Mar 09, 2026 |
DoS in GNU Binutils readelf via malformed DWARF loclist (2.45.1)GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. A logic flaw in the DWARF parsing code can cause readelf to repeatedly print the same table output without making forward progress, resulting in an unbounded output loop that never terminates unless externally interrupted. A local attacker can trigger this behavior by supplying a malicious input file, causing excessive CPU and I/O usage and preventing readelf from completing its analysis. |
|
| CVE-2025-69649 | Mar 06, 2026 |
GNU Binutils 2.46 readelf NULL Deref in display_relocationsGNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. During relocation processing, an invalid or null section pointer may be passed into display_relocations(), resulting in a segmentation fault (SIGSEGV) and abrupt termination. No evidence of memory corruption beyond the null pointer dereference, nor any possibility of code execution, was observed. |
|
| CVE-2025-69651 | Mar 06, 2026 |
GNU Binutils <=2.46 readelf invalid pointer free leads to DOSGNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. Later, process_got_section_contents() may attempt to free an invalid r_symbol pointer, triggering memory corruption checks in glibc and causing the program to terminate with SIGABRT. No evidence of further memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version. |
|
| CVE-2025-69646 | Mar 06, 2026 |
Binutils 2.44 objdump Denial-of-Service via Malformed DWARFBinutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. A logic error in the handling of the debug_rnglists header can cause objdump to repeatedly print the same warning message and fail to terminate, resulting in an unbounded logging loop until the process is interrupted. The issue was observed in binutils 2.44. A local attacker can exploit this vulnerability by supplying a malicious input file, leading to excessive CPU and I/O usage and preventing completion of the objdump analysis. |
|
| CVE-2025-69645 | Mar 06, 2026 |
Binutils objdump DoS via malformed DWARF offset_size (2.44)Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. A logic error in the handling of DWARF compilation units can result in an invalid offset_size value being used inside byte_get_little_endian, leading to an abort (SIGABRT). The issue was observed in binutils 2.44. A local attacker can trigger the crash by supplying a malicious input file. |
|
| CVE-2025-69652 | Mar 06, 2026 |
DoS in GNU Binutils readelf 2.46 via Malformed DWARFGNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. Due to incomplete state cleanup in process_debug_info(), an invalid debug_info_p state may propagate into DWARF attribute parsing routines. When certain malformed attributes result in an unexpected data length of zero, byte_get_little_endian() triggers a fatal abort. No evidence of memory corruption or code execution was observed; the impact is limited to denial of service. |
|
| CVE-2025-69644 | Mar 06, 2026 |
Binutils objdump DoS via malformed DWARF before v2.46An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. A logic flaw in the handling of DWARF location list headers can cause objdump to enter an unbounded loop and produce endless output until manually interrupted. This issue affects versions prior to the upstream fix and allows a local attacker to cause excessive resource consumption by supplying a malicious input file. |
|