VDB

DEBIAN-CVE-2025-69650

DEBIAN-CVE-2025-69650 PUBLISHED CVSS 7.5 HIGH

GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. As a result, process_got_section_contents() may pass an uninitialized r_symbol pointer to free(), leading to a double free and terminating the program with SIGABRT. No evidence of exploitable memory corruption or code execution was observed; the impact is limited to denial of service. NOTE: this is disputed by third parties because the observed behavior occurred only in pre-release code and did not affect any tagged version.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
Debian:12binutils2.43.50.20241204-2, 2.44.50.20250218-1, 2.44.50.20250309-1
Debian:13binutils2.44.50.20250218-2, 2.44.50.20250309-1, 2.44.50.20250405-1
Debian:14binutils2.44.50.20250207-1, 2.44.50.20250218-1, 2.44.50.20250218-2
Debian:11binutils2.45-2, 2.45-3, 2.45-4

Timeline

  • Mar 6, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›