Description
binutils version 2.32 and earlier contains a Integer Overflow vulnerability in objdump, bfd_get_dynamic_reloc_upper_bound,bfd_canonicalize_dynamic_reloc that can result in Integer overflow trigger heap overflow. Successful exploitation allows execution of arbitrary code.. This attack appear to be exploitable via Local. This vulnerability appears to have been fixed in after commit 3a551c7a1b80fca579461774860574eabfd7f18f.
References (7)
Core 7
Core References
Patch x_refsource_misc
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=3a551c7a1b80fca579461774860574eabfd7f18f
Broken Link vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106304
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://sourceware.org/bugzilla/show_bug.cgi?id=23994
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2075
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4336-1/
Scores
CVSS v3
7.8
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-190
CWE-787
Status
published
Products (5)
canonical/ubuntu_linux
18.04
gnu/binutils
< 2.32
redhat/enterprise_linux_desktop
7.0
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_workstation
7.0
Published
Dec 20, 2018
Tracked Since
Feb 18, 2026