Bug 2460524 - CVE-2026-6846 gdb: Binutils: Arbitrary code execution via malformed XCOFF object file processing [fedora-all]
Summary: CVE-2026-6846 gdb: Binutils: Arbitrary code execution via malformed XCOFF obj...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: gdb
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Kevin Buettner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["1ae54686-cc02-478d-ac92-8...
Depends On:
Blocks: CVE-2026-6846
TreeView+ depends on / blocked
 
Reported: 2026-04-22 08:05 UTC by Avinash Hanwate
Modified: 2026-04-23 15:42 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2026-04-23 15:42:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2026-04-22 08:05:21 UTC 
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Andrew Burgess 2026-04-23 15:42:29 UTC 
The CVE links to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2460006 which is the binutils version of this bug.

This then links to the upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=34049

Which indicates that the bug is fixed, and that the fix is in the function xcoff_link_add_symbols.  See comment: https://sourceware.org/bugzilla/show_bug.cgi?id=34049#c3 for details.

This is not the first CVE in xcoff_link_add_symbols we've seen recently, see: https://bugzilla.redhat.com/show_bug.cgi?id=2443833.

The analysis on that bug shows that xcoff_link_add_symbols is not used or called by GDB.  As such this issue does not apply to GDB.
Note You need to log in before you can comment on or make changes to this bug.