CVE-2017-7226 — CRITICAL (9.1)

Vulnerability Description

The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses the strlen function instead of strnlen, leading to program crashes in several utilities such as addr2line, size, and strings. It could lead to information disclosure as well.

CVSS Score

9.1

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gnu	Binutils	2.28

Related Weaknesses (CWE)

CWE-125

References

https://sourceware.org/bugzilla/show_bug.cgi?id=20905Issue TrackingPatch
https://sourceware.org/bugzilla/show_bug.cgi?id=20905Issue TrackingPatch

FAQ

What is CVE-2017-7226?

CVE-2017-7226 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The pe_ILF_object_p function in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, is vulnerable to a heap-based buffer over-read of size 4049 because it uses ...

How severe is CVE-2017-7226?

CVE-2017-7226 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-7226?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Binutils.