VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 15, 2021· Updated Aug 4, 2024

CVE-2021-45078

CVE-2021-45078

Description

Heap buffer overflow in stab_xcoff_builtin_type in GNU Binutils through 2.37 allows denial of service via malformed input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in stab_xcoff_builtin_type in GNU Binutils through 2.37 allows denial of service via malformed input.

Vulnerability

An out-of-bounds write vulnerability exists in the stab_xcoff_builtin_type function within stabs.c of GNU Binutils through version 2.37. The flaw is a heap-based buffer overflow that arises from an incomplete fix for CVE-2018-12699. An attacker can trigger the vulnerability by providing a crafted binary file that, when processed by Binutils tools (such as objdump or readelf), causes the vulnerable code path to write beyond allocated heap memory.

Exploitation

Exploitation requires an attacker to supply a specially crafted object file or executable that includes malformed stabs debugging information. The victim must then process the file using a Binutils tool that exercises the stab_xcoff_builtin_type function. No authentication or special privileges are needed beyond the ability to run the affected tool on the malicious file, typical of user-assisted exploitation scenarios where the target opens a file from an untrusted source.

Impact

Successful exploitation results in a heap-based buffer overflow, leading to a denial of service (program crash or memory corruption). The official description notes the possibility of additional impacts beyond denial of service, though the nature of those has not been publicly detailed. The CVSS v3.1 base score is 7.8, indicating high severity, with the attack vector being local (the attacker must have the ability to load the file).

Mitigation

The fix is included in Binutils version 2.38, released on 2022-01-29 [3]. Users of affected versions (through 2.37) should upgrade to 2.38 or later. Gentoo published a security advisory (GLSA 202208-30) recommending that all Binutils users upgrade to >= sys-devel/binutils-2.38 and >= sys-libs/binutils-libs-2.38 [3]. No workarounds are available other than updating. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Multiple Vulnerabilities (GLSA 202208-30) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

79

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

5

News mentions

0

No linked articles in our index yet.