VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 23, 2018· Updated Aug 5, 2024

CVE-2018-17360

CVE-2018-17360

Description

A heap-based buffer over-read in bfd_getl32 in libbfd of GNU Binutils 2.31 allows denial of service via a crafted PE file when processed by objdump.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer over-read in bfd_getl32 in libbfd of GNU Binutils 2.31 allows denial of service via a crafted PE file when processed by objdump.

Vulnerability

A heap-based buffer over-read vulnerability exists in the bfd_getl32 function in libbfd.c of the Binary File Descriptor (BFD) library, as distributed in GNU Binutils 2.31. The flaw can be triggered when objdump processes a specially crafted Portable Executable (PE) file. No special configuration is required beyond using the vulnerable version of Binutils.

Exploitation

An attacker must craft a malicious PE file that exploits the buffer over-read in bfd_getl32. The user or automated system must then run objdump on the crafted file, which can be achieved via social engineering or by tricking the system into processing the file automatically. No authentication or special privileges are needed to trigger the issue.

Impact

Successful exploitation results in a denial of service due to a crash of objdump. The referenced Ubuntu security notice [1] also notes that other similar issues in binutils could potentially lead to arbitrary code execution, but for this specific CVE the primary impact is a crash (denial of service). The vulnerability does not disclose information or provide code execution on its own.

Mitigation

The issue is fixed in GNU Binutils versions after 2.31. Ubuntu released an update for 18.04 LTS (bionic) with package version 2.30-21ubuntu1~18.04.3 [1]. Users should upgrade to the patched versions. No other workarounds are documented. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. USN-4336-1: GNU binutils vulnerabilities | Ubuntu security notices | Ubuntu

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

55

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.