CVE-2023-25588: Field `the_bfd` of `asymbol` is uninitialized in function `bfd_mach_o_get_synthetic_symtab`
A flaw was found in Binutils. The field thebfd of asymbolstruct is uninitialized in the bfdmachogetsyntheticsymtab function, which may lead to an application crash and local denial of service.
Other sources
GNU binutils is vulnerable to a denial of service, caused by not properly initialized the field thebfd of asymbol in the bfdmachogetsyntheticsymtab function. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a crash or access sensitive information.
— IBM
In Binutils, the field thebfd of asymbol is uninitialized in function bfdmachogetsyntheticsymtab.
Upstream bug:
https://sourceware.org/bugzilla/showbug.cgi?id=29677
Upstream fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d12f8998d2d086f0a6606589e5aedb7147e6f2f1
— Red Hat
Affected Software
Remediation
Patch Available
Patch Available
Event History
Frequently Asked Questions
What is the vulnerability ID of this flaw?
The vulnerability ID of this flaw is CVE-2023-25588.
What is the severity rating for CVE-2023-25588?
The severity rating for CVE-2023-25588 is medium with a value of 5.5.
How does this vulnerability impact the affected software?
This vulnerability may lead to an application crash and local denial of service in the affected software.
What is the affected version of GNU Binutils?
The affected version of GNU Binutils is 2.40.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability at the following references: [Red Hat Security Advisory](https://access.redhat.com/security/cve/CVE-2023-25588), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2167505), [Sourceware Bugzilla](https://sourceware.org/bugzilla/show_bug.cgi?id=29677).