← back
CVE-2025-1148

GNU Binutils ld ldelfgen.c link_order_scan memory leak

CVSS 2.3 LOWEPSS 0.6%CWE-401CWE-404
In short

GNU Binutils' linker (ld) has a memory leak in the link_order_scan function that causes it to not properly release memory during operation. While the issue itself is low-severity, it can cause the linker to consume excessive memory when processing certain inputs.

Technical detail

A memory leak exists in ld/ldelfgen.c's link_order_scan function in GNU Binutils 2.43, triggered during link order scanning operations. The vulnerability requires complex manipulation of input and has high attack complexity; exploitation is difficult but a public proof-of-concept exists. The maintainer notes all reported leaks were fixed on the master branch but withheld from 2.44 to avoid destabilization.

Summary generated and translated by AI from the official description.
A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products
GNU · Binutils

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://security.netapp.com/advisory/ntap-20250404-0004/https://sourceware.org/bugzilla/attachment.cgi?id=15887https://sourceware.org/bugzilla/show_bug.cgi?id=32576https://vuldb.com/?ctiid.295052https://vuldb.com/?id.295052https://vuldb.com/?submit.485747https://www.gnu.org/