CVE-2022-44940
Description
Patchelf v0.9 has an out-of-bounds read in modifyRPath, potentially causing crashes or information disclosure when processing crafted ELF files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Patchelf v0.9 has an out-of-bounds read in modifyRPath, potentially causing crashes or information disclosure when processing crafted ELF files.
Vulnerability
Overview
CVE-2022-44940 describes an out-of-bounds read vulnerability in Patchelf v0.9, specifically within the modifyRPath function in src/patchelf.cc. The root cause is insufficient bounds checking when the tool manipulates ELF binary rpath entries, allowing an attacker to trigger a read beyond allocated memory boundaries [1][4].
Exploitation
The attack surface is local or remote if an attacker can supply a maliciously crafted ELF file to be processed by Patchelf. No authentication is required; the vulnerability is triggered when using operations such as --shrink-rpath on a specially crafted binary. The provided proof-of-concept demonstrates a segmentation fault (SEGV) detected by AddressSanitizer, confirming the out-of-bounds read [4].
Impact
Successful exploitation can lead to a denial-of-service condition (application crash) and potentially information disclosure through the out-of-bounds read. There is no indication of remote code execution from the available references [1][4].
Mitigation
The issue has been fixed in the upstream Patchelf repository via pull request #419. Users are advised to update to a patched version (post-0.9) or apply the commit that addresses the missing bounds check [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
patchelfPyPI | < 0.16.1.0 | 0.16.1.0 |
Affected products
2- Patchelf/Patchelfdescription
Patches
1b751eeb137d7Merge pull request #419 from xiaoxiaoafeifei/master
1 file changed · +1 −0
src/patchelf.cc+1 −0 modified@@ -1371,6 +1371,7 @@ void ElfFile<ElfFileParamNames>::modifyRPath(RPathOp op, string. */ std::vector<std::string> neededLibs; auto dyn = (Elf_Dyn *)(fileContents->data() + rdi(shdrDynamic.sh_offset)); + checkPointer(fileContents, dyn, sizeof(*dyn)); Elf_Dyn *dynRPath = nullptr, *dynRunPath = nullptr; char * rpath = nullptr; for ( ; rdi(dyn->d_tag) != DT_NULL; dyn++) {
Vulnerability mechanics
Root cause
"Missing bounds check on the dynamic section pointer before dereferencing it in modifyRPath allows out-of-bounds read."
Attack vector
An attacker provides a crafted ELF binary where the dynamic section header (`shdrDynamic.sh_offset`) points to a location outside the actual file data. When `patchelf` processes this file with the `modifyRPath` function, the pointer arithmetic produces an address beyond the allocated buffer. The subsequent loop reading `dyn->d_tag` then performs an out-of-bounds read [patch_id=1641212]. No authentication is required; the attacker only needs to supply the malformed ELF file as input to the tool.
Affected code
The vulnerability resides in `src/patchelf.cc` within the `modifyRPath` function. The code computes a pointer `dyn` from `fileContents->data() + rdi(shdrDynamic.sh_offset)` and then iterates over dynamic entries without first verifying that the pointer is within the valid bounds of the file buffer. This missing bounds check allows an out-of-bounds read when the dynamic section offset points beyond the file contents.
What the fix does
The patch inserts a single line `checkPointer(fileContents, dyn, sizeof(*dyn));` immediately after the `dyn` pointer is computed. This call validates that the pointer and at least one `Elf_Dyn` structure fit within the allocated `fileContents` buffer. If the check fails, the program safely aborts instead of reading out-of-bounds memory. The fix closes the vulnerability by ensuring all dynamic entries accessed in the subsequent loop are within valid memory [patch_id=1641212].
Preconditions
- inputThe attacker must supply a crafted ELF binary with a dynamic section offset pointing outside the file buffer.
- configThe victim must run patchelf (v0.9) on the crafted file with an operation that triggers modifyRPath.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5pcj-3m26-w633ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-44940ghsaADVISORY
- github.com/NixOS/patchelf/pull/419ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/patchelf/PYSEC-2022-43144.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pypatchelf/PYSEC-2022-43151.yamlghsaWEB
News mentions
0No linked articles in our index yet.