CVE-2018-19932
Description
An integer overflow in the IS_CONTAINED_BY_LMA macro of libbfd causes an infinite loop when processing crafted files, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An integer overflow in the IS_CONTAINED_BY_LMA macro of libbfd causes an infinite loop when processing crafted files, leading to denial of service.
Vulnerability
The vulnerability resides in the IS_CONTAINED_BY_LMA macro within elf.c of the Binary File Descriptor (BFD) library (libbfd) in GNU Binutils through version 2.31. An integer overflow occurs when the macro is evaluated, leading to an infinite loop. This issue is reachable when the library processes a specially crafted ELF, object, PE, or other binary file [1].
Exploitation
An attacker can exploit this vulnerability by enticing a user to compile, execute, or otherwise process a malicious binary file using Binutils tools that rely on the BFD library (e.g., objdump, nm, size). No special authentication or elevated privileges are required beyond the ability to supply a crafted file to the library. The attacker does not need network access beyond delivering the malicious file to the target system. The exploitation sequence involves the library parsing the malformed file, triggering the integer overflow in the IS_CONTAINED_BY_LMA macro, which then causes the processing to enter an unbounded loop [1].
Impact
Successful exploitation results in a denial of service (DoS) condition, as the infinite loop consumes CPU resources and prevents the affected tool from completing its operation. No other impacts (such as code execution or information disclosure) have been reported for this specific vulnerability, but unspecified other impacts may be possible [1].
Mitigation
The vulnerability is fixed in GNU Binutils version 2.32-r1 and later. Users should upgrade to at least that version. As per the Gentoo advisory [1], no known workaround is available; upgrading the sys-devel/binutils package is the recommended remediation. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
55- osv-coords54 versionspkg:rpm/opensuse/binutils&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/binutils&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cross-aarch64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-arm-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-avr-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-epiphany-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-hppa64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-hppa-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-i386-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-ia64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-m68k-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-mips-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-ppc64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-ppc64le-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-ppc-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-riscv64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-rx-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-s390-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-s390x-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-sparc64-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-sparc-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cross-spu-binutils&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/binutils&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/binutils&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/binutils&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP4pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/binutils&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/binutils&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/binutils&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/cross-ppc-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/cross-ppc-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/cross-spu-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/cross-spu-binutils&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 2.32-lp150.10.1+ 53 more
- (no CPE)range: < 2.32-lp150.10.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.37-1.3
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-lp151.3.3.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-6.8.1
- (no CPE)range: < 2.32-7.5.1
- (no CPE)range: < 2.32-6.8.1
- (no CPE)range: < 2.32-7.5.1
- (no CPE)range: < 2.32-6.8.1
- (no CPE)range: < 2.32-7.5.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
- (no CPE)range: < 2.32-9.33.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.htmlmitrevendor-advisoryx_refsource_SUSE
- security.gentoo.org/glsa/201908-01mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4336-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.securityfocus.com/bid/106144mitrevdb-entryx_refsource_BID
- security.netapp.com/advisory/ntap-20190221-0004/mitrex_refsource_CONFIRM
- sourceware.org/bugzilla/show_bug.cgimitrex_refsource_MISC
News mentions
0No linked articles in our index yet.