CVE-2025-11840
Published: October 17, 2025Last modified: November 9, 2025
Description
A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | binutils | Fixed (2.40-r10) |
| 25 LTS | binutils | Fixed (2.45-r2) | |
| Stream | binutils | Fixed (2.45-r2) | |
| Hardened Containers | 23 LTS | binutils | Fixed (2.40-r10) |
| Stream | binutils | Fixed (2.45-r2) |