VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 10, 2019· Updated Aug 5, 2024

CVE-2019-17451

CVE-2019-17451

Description

An integer overflow in the BFD library's _bfd_dwarf2_find_nearest_line function can cause a segmentation fault when processing malformed DWARF debug data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer overflow in the BFD library's _bfd_dwarf2_find_nearest_line function can cause a segmentation fault when processing malformed DWARF debug data.

Vulnerability

An integer overflow vulnerability exists in the _bfd_dwarf2_find_nearest_line function within the dwarf2.c file of the Binary File Descriptor (BFD) library, as distributed in GNU Binutils version 2.32. This flaw can be triggered when parsing specially crafted DWARF debug information, leading to a segmentation fault (SEGV). The issue is demonstrated using the nm utility [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malformed binary file containing specific DWARF debug data. If a user or automated system processes this file with affected versions of GNU Binutils tools (such as nm), the integer overflow occurs, resulting in a program crash. No authentication is required; the attack relies on user interaction to open the file [1][2].

Impact

Successful exploitation results in a denial of service (DoS) due to application crash. The referenced security notices also state that arbitrary code execution might be possible, though the specific CVE is noted for causing a SEGV [1][2].

Mitigation

The vulnerability is fixed in Binutils version 2.33.1 and later. Ubuntu has released updated packages (binutils 2.30-21ubuntu1~18.04.3 for 18.04 LTS) as part of USN-4336-1. Gentoo users should upgrade to >=sys-devel/binutils-2.33.1. No workarounds are known; updating to the patched version is recommended [1][2].

References
  1. USN-4336-1: GNU binutils vulnerabilities | Ubuntu security notices | Ubuntu
  2. Multiple vulnerabilities (GLSA 202007-39) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

73

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

6

News mentions

0

No linked articles in our index yet.