CVE-2025-1149
Published: February 11, 2025Last modified: September 3, 2025
Description
A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 3.1 |
| Attack Vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L |
Notes
This issue was fixed in binutils-2.45 but not backported to previous releases in upstream. The reason is, according to the maintainer, that would destabilise ld. Also, given that the score of this CVE is low and the exploitation is difficult, this CVE won't be fixed for the Alpaquita 23 LTS release.
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | binutils | Will not fix (2.39-r2) |
| 25 LTS | binutils | Fixed (2.45-r0) | |
| Stream | binutils | Fixed (2.45-r0) | |
| Hardened Containers | 23 LTS | binutils | Will not fix (2.39-r2) |
| Stream | binutils | Fixed (2.45-r0) |