CVE-2017-9755
Description
opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in GNU Binutils 2.28's i386-dis.c when disassembling crafted binaries with 'objdump -D' allows denial of service or potential code execution.
Vulnerability
A buffer overflow vulnerability exists in GNU Binutils 2.28, specifically in the opcodes/i386-dis.c file. The flaw occurs because the code does not properly account for the number of registers when handling bnd (bound) mode instructions. This allows a crafted binary file to trigger a buffer overflow when processed by objdump -D [1].
Exploitation
An attacker can exploit this by crafting a malicious binary file that triggers the buffer overflow when a user runs objdump -D on it. The attacker does not require special network position beyond delivering the file (e.g., via email, web download). No authentication is needed beyond the user invoking the command. The overflow occurs during the disassembly step, which is a common operation on binary files [1].
Impact
Successful exploitation results in denial of service via application crash. The CVE description notes that other unspecified impacts may be possible, suggesting potential for code execution depending on the severity of the overflow. The vulnerability has a CVSS v3 score of 7.8 (High), indicating a significant risk [1].
Mitigation
A fix was released in GNU Binutils version 2.29.1-r1. Users should upgrade to this version or later. The Gentoo Security Advisory (GLSA 201801-01) recommends upgrading via emerge --sync && emerge --ask --oneshot --verbose ">=sys-devel/binutils-2.29.1-r1". There are no known workarounds available [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23- osv-coords21 versionspkg:rpm/opensuse/binutils&distro=openSUSE%20Tumbleweedpkg:rpm/suse/binutils&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/cross-ppc-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/cross-ppc-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/cross-spu-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/cross-spu-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.37-1.3+ 20 more
- (no CPE)range: < 2.37-1.3
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.31-9.26.1
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
- (no CPE)range: < 2.29.1-9.20.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- sourceware.org/bugzilla/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- www.securityfocus.com/bid/99124nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201801-01nvd
News mentions
0No linked articles in our index yet.