CVE-2022-25265 - How a 20-Year-Old Compiler Lets Dangerous Bytes Run on Linux

If you think that only new vulnerabilities are worth worrying about, you're in for a surprise. CVE-2022-25265 highlights a quirky but real security hole that lives deep in the Linux kernel—even in modern systems—thanks to old compilers and some misunderstood file attributes. In this long-form read, I’ll break down the CVE, show you code snippets, and walk you through how an ancient build tool can open the door for executable bytes in places you’d never expect.

What Is CVE-2022-25265?

Put simply, CVE-2022-25265 is a flaw in how the Linux kernel (up through version 5.16.10) interprets binary files that have the exec-all attribute set. This attribute says, “Everything in this file can be executed as code,” even parts meant to be simple data. This doesn’t sound bad—until you realize some files have this attribute unintentionally, especially if they were compiled roughly around 2003 using GCC version 3.2.2 and Linux kernel version 2.4.20.

So, if you run an ancient binary (maybe from a backup or a quirky vendor) on a modern Linux, the kernel might let dangerous code run from places it normally would block.

Why Would Anyone Care?

Chances are, your everyday system isn’t running 20-year-old binaries. But a surprising number of embedded devices, specialized servers, or software collections do. Attackers could take an old binary (with exec-all), inject their code into a “safe” data section, and then cause that injected code to run on a modern system that believes it’s protected by no-exec regions.

Diving Deeper: The Role of exec-all

Normally, binaries mark only specific regions as executable: for example, code (text) sections, not data. With exec-all, the kernel just says: “Go ahead, run anything.” This attribute usually gets set by accident when using old toolchains from the early 200s.

Let’s break it down with real technical details.

Technical Background

ELF (Executable and Linkable Format) files control what’s marked as executable or writable through something called “program headers.” Each segment in the ELF binary receives permission flags:

PF_R: Readable

Back in the early days, some versions of GCC and Linux linker tools would mark *all* segments as executable. That means both code and data could *technically* run.

Here’s what a flawed program header might look like when checked with readelf -l oldbinary

Type           Offset             VirtAddr           PhysAddr
               FileSiz            MemSiz              Flags  Align
LOAD           x000000000000000 x000000000040000 x000000000040000
               x000000000000100 x000000000000100  R E    200000
LOAD           x000000000000100 x000000000060000 x000000000060000
               x000000000000200 x000000000000200  RWX    200000

See how the data segment has RWX? That “X” means executable. On a modern system, you’d expect only code sections to get an X.

Let’s use Python with the pyelftools module to scan a binary for this issue

from elftools.elf.elffile import ELFFile

def has_exec_all(filename):
    with open(filename, 'rb') as f:
        elf = ELFFile(f)
        for segment in elf.iter_segments():
            flags = segment['p_flags']
            # PF_X = 1; check if everything is marked executable
            if flags & x1 and flags & x2 and flags & x4:
                print(f"Segment at offset {segment['p_offset']} is RWX (exec-all)")
                return True
    return False

print(has_exec_all('oldbinary'))

Trick your program into jumping (via a vulnerability like buffer overflow) into this “data.”

3. The kernel, seeing exec-all, happily lets it execute—even in supposedly safe, non-executable pages.

With modern binaries, this “data injection” would fail, because the kernel blocks execution. The exec-all attribute breaks this protection.

Real-World Impact

- Old closed-source apps: If your vendor shipped you a binary in 2004 and you’re still running it, check the headers.
- Legacy embedded systems: Many routers, NAS solutions, and legacy hardware don’t get rebuilt often.

Apply kernel updates: Newer kernels add workarounds, but always prefer properly built files.

- Set mount options: Use noexec on filesystems that should never run binaries (e.g., user home directories, downloads).

Official References

- NVD: CVE-2022-25265 Details
- oss-security Mailing List Post
- Linux Kernel Commit Fix

Conclusion

CVE-2022-25265 is a reminder that the past can always come back to bite you. Even if you have the latest kernel, running old binaries built with ancient tools can sidestep your protections, thanks to mis-set attributes like exec-all. Regular audits, rebuilding, and a bit of paranoia are your best friends.

Timeline

Published on: 02/16/2022 21:15:00 UTC
Last modified on: 05/11/2022 14:08:00 UTC