Vulnerability-Lookup

CVE-2025-1149 (GCVE-0-2025-1149)

Vulnerability from cvelistv5 – Published: 2025-02-10 14:31 – Updated: 2025-02-10 14:47

Title

GNU Binutils ld xmalloc.c xstrdup memory leak

Summary

A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Severity ?

2.3 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

3.1 (Low)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-401 - Memory Leak
CWE-404 - Denial of Service

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.295053	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.295053	signaturepermissions-required
	https://sourceware.org/bugzilla/show_bug.cgi?id=32576	issue-tracking
	https://sourceware.org/bugzilla/attachment.cgi?id=15887	exploit
	https://www.gnu.org/	product

Impacted products

	Vendor	Product	Version
	GNU	Binutils	Affected: 2.43

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-1149",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T14:47:29.705492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-10T14:47:56.144Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "ld"
          ],
          "product": "Binutils",
          "vendor": "GNU",
          "versions": [
            {
              "status": "affected",
              "version": "2.43"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I\u0027m not going to commit some of the leak fixes I\u0027ve been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\""
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in GNU Binutils 2.43 ausgemacht. Sie wurde als problematisch eingestuft. Dabei betrifft es die Funktion xstrdup der Datei libiberty/xmalloc.c der Komponente ld. Dank der Manipulation mit unbekannten Daten kann eine memory leak-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.6,
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "Memory Leak",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-404",
              "description": "Denial of Service",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-10T14:31:07.377Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-295053 | GNU Binutils ld xmalloc.c xstrdup memory leak",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.295053"
        },
        {
          "name": "VDB-295053 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.295053"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32576"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15887"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.gnu.org/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-02-10T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-02-10T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-02-10T08:36:52.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "GNU Binutils ld xmalloc.c xstrdup memory leak"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-1149",
    "datePublished": "2025-02-10T14:31:07.377Z",
    "dateReserved": "2025-02-10T07:31:45.936Z",
    "dateUpdated": "2025-02-10T14:47:56.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-1149\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-10T14:47:29.705492Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-10T14:47:32.311Z\"}}], \"cna\": {\"title\": \"GNU Binutils ld xmalloc.c xstrdup memory leak\", \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.3, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 2.6, \"vectorString\": \"AV:N/AC:H/Au:N/C:N/I:N/A:P\"}}], \"affected\": [{\"vendor\": \"GNU\", \"modules\": [\"ld\"], \"product\": \"Binutils\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.43\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-02-10T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-02-10T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-02-10T08:36:52.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.295053\", \"name\": \"VDB-295053 | GNU Binutils ld xmalloc.c xstrdup memory leak\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.295053\", \"name\": \"VDB-295053 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://sourceware.org/bugzilla/show_bug.cgi?id=32576\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://sourceware.org/bugzilla/attachment.cgi?id=15887\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.gnu.org/\", \"tags\": [\"product\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \\\"I\u0027m not going to commit some of the leak fixes I\u0027ve been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\\\"\"}, {\"lang\": \"de\", \"value\": \"Es wurde eine Schwachstelle in GNU Binutils 2.43 ausgemacht. Sie wurde als problematisch eingestuft. Dabei betrifft es die Funktion xstrdup der Datei libiberty/xmalloc.c der Komponente ld. Dank der Manipulation mit unbekannten Daten kann eine memory leak-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \\u00fcber das Netzwerk erfolgen. Die Komplexit\\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig auszunutzen. Der Exploit steht zur \\u00f6ffentlichen Verf\\u00fcgung. Als bestm\\u00f6gliche Massnahme wird Patching empfohlen.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-401\", \"description\": \"Memory Leak\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-404\", \"description\": \"Denial of Service\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-02-10T14:31:07.377Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-1149\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-10T14:47:56.144Z\", \"dateReserved\": \"2025-02-10T07:31:45.936Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-02-10T14:31:07.377Z\", \"assignerShortName\": \"VulDB\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-VWFW-R6QW-22RW

Vulnerability from github – Published: 2025-02-10 15:32 – Updated: 2025-02-10 15:32

Details

Severity ?

3.1 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-1149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-10T15:15:13Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I\u0027m not going to commit some of the leak fixes I\u0027ve been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\"",
  "id": "GHSA-vwfw-r6qw-22rw",
  "modified": "2025-02-10T15:32:22Z",
  "published": "2025-02-10T15:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1149"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15887"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32576"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.295053"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.295053"
    },
    {
      "type": "WEB",
      "url": "https://www.gnu.org"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

CNVD-2025-03958

Vulnerability from cnvd - Published: 2025-02-28

Title

GNU Binutils xmalloc.c文件内存泄露漏洞

Description

GNU Binutils（GNU Binary Utilities）是美国GNU社区的开发的一组编程语言工具程序。该程序主要用于处理多种格式的目标文件，并提供有连接器、汇编器和其他用于目标文件和档案的工具。 GNU Binutils 2.43版本存在内存泄露漏洞，该漏洞源于ld部件的libiberty/xmalloc.c文件中的xstrdup函数未释放或无法释放已动态分配的堆内存，攻击者可利用此漏洞导致拒绝服务。

Severity

低

Patch Name

GNU Binutils xmalloc.c文件内存泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.gnu.org/

Reference

https://sourceware.org/bugzilla/attachment.cgi?id=15887

Impacted products

Name
Gnu GNU Binutils 2.43

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-1149",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-1149"
    }
  },
  "description": "GNU Binutils\uff08GNU Binary Utilities\uff09\u662f\u7f8e\u56fdGNU\u793e\u533a\u7684\u5f00\u53d1\u7684\u4e00\u7ec4\u7f16\u7a0b\u8bed\u8a00\u5de5\u5177\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u4e3b\u8981\u7528\u4e8e\u5904\u7406\u591a\u79cd\u683c\u5f0f\u7684\u76ee\u6807\u6587\u4ef6\uff0c\u5e76\u63d0\u4f9b\u6709\u8fde\u63a5\u5668\u3001\u6c47\u7f16\u5668\u548c\u5176\u4ed6\u7528\u4e8e\u76ee\u6807\u6587\u4ef6\u548c\u6863\u6848\u7684\u5de5\u5177\u3002\n\nGNU Binutils 2.43\u7248\u672c\u5b58\u5728\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eld\u90e8\u4ef6\u7684libiberty/xmalloc.c\u6587\u4ef6\u4e2d\u7684xstrdup\u51fd\u6570\u672a\u91ca\u653e\u6216\u65e0\u6cd5\u91ca\u653e\u5df2\u52a8\u6001\u5206\u914d\u7684\u5806\u5185\u5b58\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.gnu.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-03958",
  "openTime": "2025-02-28",
  "patchDescription": "GNU Binutils\uff08GNU Binary Utilities\uff09\u662f\u7f8e\u56fdGNU\u793e\u533a\u7684\u5f00\u53d1\u7684\u4e00\u7ec4\u7f16\u7a0b\u8bed\u8a00\u5de5\u5177\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u4e3b\u8981\u7528\u4e8e\u5904\u7406\u591a\u79cd\u683c\u5f0f\u7684\u76ee\u6807\u6587\u4ef6\uff0c\u5e76\u63d0\u4f9b\u6709\u8fde\u63a5\u5668\u3001\u6c47\u7f16\u5668\u548c\u5176\u4ed6\u7528\u4e8e\u76ee\u6807\u6587\u4ef6\u548c\u6863\u6848\u7684\u5de5\u5177\u3002\r\n\r\nGNU Binutils 2.43\u7248\u672c\u5b58\u5728\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eld\u90e8\u4ef6\u7684libiberty/xmalloc.c\u6587\u4ef6\u4e2d\u7684xstrdup\u51fd\u6570\u672a\u91ca\u653e\u6216\u65e0\u6cd5\u91ca\u653e\u5df2\u52a8\u6001\u5206\u914d\u7684\u5806\u5185\u5b58\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GNU Binutils xmalloc.c\u6587\u4ef6\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Gnu GNU Binutils 2.43"
  },
  "referenceLink": "https://sourceware.org/bugzilla/attachment.cgi?id=15887",
  "serverity": "\u4f4e",
  "submitTime": "2025-02-17",
  "title": "GNU Binutils xmalloc.c\u6587\u4ef6\u5185\u5b58\u6cc4\u9732\u6f0f\u6d1e"
}

FKIE_CVE-2025-1149

Vulnerability from fkie_nvd - Published: 2025-02-10 15:15 - Updated: 2025-03-04 15:50

Severity ?

3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Summary

References

URL	Tags
cna@vuldb.com	https://sourceware.org/bugzilla/attachment.cgi?id=15887	Broken Link
cna@vuldb.com	https://sourceware.org/bugzilla/show_bug.cgi?id=32576	Exploit, Issue Tracking
cna@vuldb.com	https://vuldb.com/?ctiid.295053	Permissions Required, VDB Entry
cna@vuldb.com	https://vuldb.com/?id.295053	Third Party Advisory, VDB Entry
cna@vuldb.com	https://www.gnu.org/	Product

Impacted products

	Vendor	Product	Version
	gnu	binutils	2.43

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gnu:binutils:2.43:*:*:*:*:*:*:*",
              "matchCriteriaId": "41E442CC-ADC3-46D7-BC3C-AF5210AA9C04",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in GNU Binutils 2.43. It has been classified as problematic. This affects the function xstrdup of the file libiberty/xmalloc.c of the component ld. The manipulation leads to memory leak. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: \"I\u0027m not going to commit some of the leak fixes I\u0027ve been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master.\""
    },
    {
      "lang": "es",
      "value": "Se ha encontrado una vulnerabilidad en GNU Binutils 2.43. Se ha clasificado como problem\u00e1tica. Afecta a la funci\u00f3n xstrdup del archivo libiberty/xmalloc.c del componente ld. La manipulaci\u00f3n provoca una fuga de memoria. Es posible iniciar el ataque de forma remota. La complejidad de un ataque es bastante alta. Se dice que la explotabilidad es dif\u00edcil. El exploit se ha hecho p\u00fablico y puede utilizarse. Se recomienda aplicar un parche para solucionar este problema. El responsable del c\u00f3digo explica: \"No voy a enviar algunas de las correcciones de fugas en las que he estado trabajando a la rama 2.44 debido a la preocupaci\u00f3n de que desestabilizar\u00edan ld. Todas las fugas informadas en este bugzilla se han solucionado en binutils master\"."
    }
  ],
  "id": "CVE-2025-1149",
  "lastModified": "2025-03-04T15:50:19.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 2.6,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "cna@vuldb.com",
        "type": "Secondary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "cna@vuldb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "cna@vuldb.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-10T15:15:13.093",
  "references": [
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://sourceware.org/bugzilla/attachment.cgi?id=15887"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=32576"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Permissions Required",
        "VDB Entry"
      ],
      "url": "https://vuldb.com/?ctiid.295053"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://vuldb.com/?id.295053"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Product"
      ],
      "url": "https://www.gnu.org/"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        },
        {
          "lang": "en",
          "value": "CWE-404"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-1149 (GCVE-0-2025-1149)

GHSA-VWFW-R6QW-22RW

CNVD-2025-03958

FKIE_CVE-2025-1149

Tags

Sightings

Nomenclature