CVE-2020-35494: Medium severity GNU binutils vulnerability
GNU Binutils before 2.34 has an uninitialized-heap vulnerability in function tic4xprintcond (file opcodes/tic4x-dis.c) which could allow attackers to make an information leak.
Reference: https://sourceware.org/bugzilla/showbug.cgi?id=25319
Other sources
GNU Binutils is vulnerable to a denial of service, caused by the usage of uninitialized memory in /opcodes/tic4x-dis.c in the Binary File Descriptor (BFD) library. By persuading a victim to open a specially-crafted file with corrupt dwarf1 debug information, a remote attacker could cause a denial of service.
— IBM
There's a flaw in binutils /opcodes/tic4x-dis.c. An attacker who is able to submit a crafted input file to be processed by binutils could cause usage of uninitialized memory. The highest threat is to application availability with a lower threat to data confidentiality. This flaw affects binutils versions prior to 2.34.
— MITRE
Affected Software
Remediation
Patch Available
Event History
Frequently Asked Questions
What is CVE-2020-35494?
CVE-2020-35494 is a vulnerability in binutils/opcodes/tic4x-dis.c that allows an attacker to cause usage of uninitialized memory.
What is the severity of CVE-2020-35494?
The severity of CVE-2020-35494 is medium with a CVSS score of 6.1.
How does CVE-2020-35494 affect application availability?
CVE-2020-35494 poses a high threat to application availability.
What is the impact of CVE-2020-35494 on data confidentiality?
The impact of CVE-2020-35494 on data confidentiality is lower.
Which software packages are affected by CVE-2020-35494?
CVE-2020-35494 affects binutils version up to 2.34, GNU Binutils up to version 2.34, Fedoraproject Fedora version 32, Netapp Cloud Backup, NetApp ONTAP Select Deploy administration utility, Netapp Solidfire, Enterprise Sds & Hci Storage Node, Netapp Solidfire & Hci Management Node, Broadcom Brocade Fabric Operating System Firmware, and Netapp Hci Compute Node Firmware.