2404554 – CVE-2025-11840 gdb: GNU Binutils out-of-bounds read [fedora-42]

Bug 2404554 - CVE-2025-11840 gdb: GNU Binutils out-of-bounds read [fedora-42]

Summary: CVE-2025-11840 gdb: GNU Binutils out-of-bounds read [fedora-42]

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gdb
Sub Component:
Version:	42
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Kevin Buettner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	{"flaws": ["ffad7a04-e5f2-4603-8304-4...
Depends On:
Blocks:	CVE-2025-11840
TreeView+	depends on / blocked

Reported:	2025-10-16 18:03 UTC by Jon Moroney
Modified:	2025-11-14 06:54 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-11-14 06:54:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jon Moroney 2025-10-16 18:03:40 UTC

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams

Comment 1 Kevin Buettner 2025-10-28 22:20:12 UTC

I've looked at the upstream issue:

https://sourceware.org/bugzilla/show_bug.cgi?id=33455

H.J. Lu has proposed a patch which might fix the linker issue, but it has not yet been committed/pushed.

My analysis shows that GDB does not call the function which H.J. has changed in his proposed patch, but, since that patch isn't upstream yet, I cannot close this as NOTABUG.  Also, even if it is a bug, there is no backport available, as proposed patches should not be backported.

Therefore, I've assigned it to myself and will leave it open until there's movement on the upstream bug.

Comment 2 Kevin Buettner 2025-11-14 06:54:41 UTC

Closing as NOTABUG – per the GNU Debugger Security Policy

CVE‑2025‑11840 concerns an out‑of‑bounds read in libbfd’s COFF loader
(`coff_slurp_reloc_table`). The only effect that can surface in GDB is a
non‑privileged crash (due to an attempted NULL pointer dereference) when the
gdb‑compile module loads a COFF object with a malformed relocation.

* The gdb‑compile module, when used on Linux, generates ELF objects and
  executables; it does NOT produce COFF files. Consequently, under normal
  Linux usage the COFF‑related path that contains the vulnerability is never
  exercised.

* Triggering the bug would require deliberately constructing a COFF file whose
  relocation’s `howto->name` is NULL and then loading that file via gdb‑compile –
  a highly contrived scenario that is not encountered in typical debugging
  sessions.

* The bug does NOT cross a privilege boundary, does not cause the inferior
  program to run without an explicit GDB command, and does not permit arbitrary
  code execution in the debugger.  According to the policy section
  “What Is Not A Security Bug”, an internal error that results merely in a
  crash is NOT a security bug.

Therefore this issue does not meet any of the four criteria that define a
security bug for GDB, and it should be closed as NOTABUG.

References:
- gdb/SECURITY.txt – “What Is Not A Security Bug” (items 1‑4)
- Binutils bug #33455 (https://sourceware.org/bugzilla/show_bug.cgi?id=33455)
- CVE‑2025‑11840 (https://access.redhat.com/security/cve/cve-2025-11840)

Note You need to log in before you can comment on or make changes to this bug.