Is there a public PoC exploit available for CVE-2025-8224?

Yes, a public proof-of-concept exploit is available for CVE-2025-8224. Prioritise patching immediately. EPSS: 0.0%.

GNU Binutils CVE-2025-8224

Q: What is the CVSS score of CVE-2025-8224?

CVE-2025-8224 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Resource Shutdown or Release (CWE-404)

2025-07-27 cna@vuldb.com

Denial Of Service

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:50 vuln.today

DescriptionCVE.org

A vulnerability has been found in GNU Binutils 2.44 and classified as problematic. This vulnerability affects the function bfd_elf_get_str_section of the file bfd/elf.c of the component BFD Library. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The name of the patch is db856d41004301b3a56438efd957ef5cabb91530. It is recommended to apply a patch to fix this issue.

AnalysisAI

Null pointer dereference in GNU Binutils 2.44 BFD Library function bfd_elf_get_str_section causes denial of service when processing malformed ELF files locally. The vulnerability requires local access with limited privileges (PR:L) and publicly available exploit code exists, though EPSS scoring (0.04%, 12th percentile) indicates low real-world exploitation probability despite public disclosure.

Technical ContextAI

The BFD (Binary File Descriptor) Library is GNU Binutils' core component for parsing and manipulating binary object files including ELF (Executable and Linkable Format), used by tools like objdump, readelf, and ld. The vulnerability resides in the bfd_elf_get_str_section function in bfd/elf.c, which handles string section processing during ELF file parsing. The root cause is CWE-404 (Improper Resource Validation), specifically a null pointer dereference where the function fails to validate pointer integrity before dereferencing, likely when processing section headers or string table metadata in crafted or corrupted ELF files. The attack surface is limited to local users with at least unprivileged account access (PR:L per CVSS 4.0 vector) who can supply malicious ELF files to Binutils utilities.

RemediationAI

Apply the upstream patch via commit db856d41004301b3a56438efd957ef5cabb91530 to the BFD Library source code (available at https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db856d41004301b3a56438efd957ef5cabb91530), or upgrade to GNU Binutils 2.45 or later once released with this fix integrated. For distributions with backports, check GNU Binutils security advisories at https://www.gnu.org/ for patched 2.44.x point releases. Interim mitigation: restrict local user access to Binutils utilities via file permissions or containerization, and avoid processing untrusted or malformed ELF files in multi-user environments. Implement input validation at the application layer if Binutils is embedded (e.g., verify ELF file structure with checksums before passing to BFD). Note that DoS-only impact means system availability is the concern, not data breach-prioritize this patch based on local user trust model rather than network-facing threat level.

CVE-2025-8224 vulnerability details – vuln.today

Back