GNU Binutils CVE-2025-8225
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.
AnalysisAI
Memory leak in GNU Binutils 2.44 DWARF section handler allows local authenticated users to consume memory resources, potentially leading to denial of service. The vulnerability exists in the process_debug_info function of binutils/dwarf.c and is triggered during DWARF debug information parsing. Publicly available exploit code exists, and a vendor patch has been released.
Technical ContextAI
GNU Binutils is a collection of binary tools including objdump, readelf, and nm, widely used for analyzing and manipulating compiled binaries and debugging symbols. The vulnerability resides in the DWARF section handler component, specifically the process_debug_info function responsible for parsing DWARF (Debugging With Attributed Record Formats) debug information embedded in ELF binaries. DWARF is a standardized format for storing debugging symbols and source code location information. The root cause is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), meaning the function allocates memory during debug info processing but fails to release it properly under certain conditions. This is particularly relevant for tools like readelf and objdump, which parse untrusted binaries and debug sections as part of normal operation.
RemediationAI
Apply the vendor-released patch identified by commit e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4 from the GNU Binutils upstream repository at https://gitlab.com/gnutools/binutils-gdb. Upgrade to a Binutils version released after this patch commit. For systems unable to patch immediately, restrict local access to Binutils tools (readelf, objdump, nm) to trusted users only by adjusting file permissions and access controls on the tool binaries themselves. Additionally, avoid processing untrusted or unknown binaries through Binutils utilities in automated pipelines or services exposed to untrusted users. If Binutils is used in a service context (e.g., binary analysis service), implement resource limits (memory cgroups on Linux) to prevent a single invocation from consuming all available memory, mitigating the denial-of-service impact. Note that this vulnerability requires local authenticated access, so it poses minimal risk to network-facing services unless they invoke Binutils on user-supplied input with inadequate resource isolation.
Share
External POC / Exploit Code
Leaving vuln.today