CVE-2025-1150: Memory Leak Vulnerability Found in GNU Binutils 2.43 Causing BFD_Malloc Issues

A memory leak vulnerability (CVE-2025-1150) has recently been discovered in the GNU Binutils 2.43. This vulnerability has been declared as problematic and closely tied to the function bfd_malloc present in the libbfd.c file of the component ld. If exploited, this vulnerability could potentially lead to unauthorized access and manipulation of sensitive data.

The attack on this vulnerability can be initiated remotely, although the complexity of such an attack is considered to be rather high. Moreover, the exploitation seems to be difficult, which is a significant advantage for users. The vulnerability is now publicly disclosed, and it is highly recommended to apply a patch to fix this issue to avoid any potential security risks.

In-depth details about the vulnerability can be found in the original references

1. CVE-2025-1150
2. Binutils Bugzilla report

The following code snippet demonstrates the problematic bfd_malloc function in the libbfd.c file

void *
bfd_malloc (bfd_size_type size)
{
  void *ptr;

  if (size == )
    size = 1;

  ptr = malloc (size);
  
  if (ptr == NULL)
    {
      bfd_set_error (bfd_error_no_memory);
      return NULL;
    }

  return ptr;
}

In this function, the memory leak vulnerability can be traced back to improper handling of memory allocations and deallocations, leading to the gradual increase in memory consumption and eventual failure of the program.

However, there is good news for users of GNU Binutils as the code maintainer stated in a discussion: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilize ld. All of the reported leaks in this Bugzilla have been fixed on binutils master."

This indicates that users can expect an upcoming release of GNU Binutils to incorporate fixes for this vulnerability, among others. Until then, it is highly recommended to apply the available patches and keep your systems secure in the face of potential exploits.

Stay safe and keep your software up-to-date to avoid unpleasant surprises.

Timeline

Published on: 02/10/2025 17:15:18 UTC
Last modified on: 03/11/2025 19:01:04 UTC