CVE-2017-15938
Description
dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, miscalculates DW_FORM_ref_addr die refs in the case of a relocatable object file, which allows remote attackers to cause a denial of service (find_abstract_instance_name invalid memory read, segmentation fault, and application crash).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A miscalculation in dwarf2.c of GNU Binutils 2.29 allows remote attackers to cause a denial of service via a crafted relocatable object file.
Vulnerability
The vulnerability resides in dwarf2.c within the Binary File Descriptor (BFD) library of GNU Binutils 2.29. It miscalculates DW_FORM_ref_addr die references when processing a relocatable object file, leading to an invalid memory read in the find_abstract_instance_name function [1].
Exploitation
An attacker can craft a malicious relocatable object file that triggers the miscalculation. The victim must process the file with binutils tools (e.g., nm, objdump) that parse DWARF debug information. No special privileges are needed beyond access to the crafted file [1][2].
Impact
Successful exploitation results in a segmentation fault and application crash, causing a denial of service condition [1].
Mitigation
Users should upgrade to Binutils version 2.29.1-r1 or later, as recommended by the Gentoo GLSA 201801-01 [2]. No known workarounds exist.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
19- osv-coords17 versionspkg:rpm/opensuse/binutils&distro=openSUSE%20Tumbleweedpkg:rpm/suse/binutils&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/cross-ppc-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/cross-spu-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.37-1.3+ 16 more
- (no CPE)range: < 2.37-1.3
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-6.3.1
- (no CPE)range: < 2.31-6.3.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/nvdPatchThird Party AdvisoryVDB Entry
- sourceware.org/bugzilla/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- www.securityfocus.com/bid/101610nvd
- security.gentoo.org/glsa/201801-01nvd
News mentions
0No linked articles in our index yet.