binutils: heap-based buffer overflow in GNU Binutils 2.45 copy_section function (CVE-2025-7545) #shorts

Summary

CVE-2025-7545 is a heap-based buffer overflow vulnerability in GNU Binutils 2.45. The flaw exists in the copy_section function of binutils/objcopy.c and can be exploited locally using publicly available proof-of-concept code. A patch has been released to address the issue.

Product details

This vulnerability affects GNU Binutils version 2.45. Binutils is a collection of binary tools used for assembling, linking, and manipulating object files. The backport fixes for mingw-binutils related to CVE-2025-7545 have been released in Fedora 41, while Fedora 42 provides a critical update that resolves both CVE-2025-7545 and CVE-2025-7546.

Vulnerability type summary

The issue is a heap-based buffer overflow resulting in memory corruption. An attacker with local access can craft input data that overruns heap buffers in the copy_section function, leading to potential code execution or application crash.

Details of the vulnerability

In the copy_section routine of binutils/objcopy.c, the code fails to validate the size of section data copied onto the heap. By supplying manipulated section contents, an attacker can overwrite heap memory. The vulnerability requires local access but the exploit code is publicly available. The patch addressing this issue is identified by commit 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. Applying this patch or upgrading to a distribution release that incorporates it will eliminate the overflow condition.

Conclusion

All users of GNU Binutils 2.45, especially those running mingw-binutils on Fedora, should apply the available patch or update to the fixed Fedora 41 or 42 packages immediately. This will prevent local attackers from leveraging the heap-based overflow to compromise systems or disrupt build processes.

Watch the full video on YouTube: CVE-2025-7545

Remediation and exploitation details

This chain involves the following actors

  • Local Malicious User: Attacker with command-line access to the vulnerable host
  • System Administrator: Maintainer responsible for applying security updates and patches

This following systems are involved

  • GNU Binutils 2.45 (Collection of tools for the creation and manipulation of binary object files): Contains the vulnerable function copy_section in binutils/objcopy.c
  • mingw-binutils on Fedora 41/42 (Cross-compilation toolset for Windows binaries): Packaged build of binutils 2.45 that inherits the vulnerability

Attack entry point

  • copy_section function in binutils/objcopy.c: Performs section data copy without proper bounds checking, leading to heap-based buffer overflow when section size metadata is maliciously crafted

Remediation actions

System Administrator
Apply commit 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 to binutils/objcopy.c
GNU Binutils 2.45
System Administrator
Upgrade to Fedora 41 or 42 packages with the backported fix
mingw-binutils on Fedora 41/42

Exploitation actions

Edit the section header e_shdr.sh_size field via a hex editor or script, then append extra bytes to the section payload

Local Malicious User
Craft a malicious ELF object with a section header that declares a small size but contains oversized data
GNU Binutils 2.45
Examples:
  • Use `xxd` to set sh_size to 0x100 but append 0x300 bytes of data after the header

Run objcopy with the --copy-section flag to process the malformed ELF and trigger the overflow

Local Malicious User
Invoke objcopy to copy the malicious section into a new binary
GNU Binutils 2.45
Examples:
  • objcopy --copy-section .mal=crafted.o input.elf output.elf

Exploit the overflow to write past the allocated buffer, targeting heap management metadata in glibc to hijack control flow

Local Malicious User
Corrupt adjacent heap metadata to overwrite function pointers or allocator structures
GNU Binutils 2.45
Examples:
  • Overwrite the fastbin freelist pointer to point at a controlled payload block

Complete the objcopy operation or run the resulting binary so the overwritten pointer is dereferenced and redirects execution

Local Malicious User
Trigger execution of the corrupted memory region
GNU Binutils 2.45
Examples:
  • ./output.elf

Use the point of controlled execution to invoke system calls or spawn an interactive shell

Local Malicious User
Spawn a shell or run arbitrary code with the hijacked control flow
Host Operating System
Examples:
  • /bin/sh -i

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-7545
Description
A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.,In GNU Binutils 2.45 wurde eine problematische Schwachstelle entdeckt. Dabei geht es um die Funktion copy_section der Datei binutils/objcopy.c. Durch Manipulation mit unbekannten Daten kann eine heap-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Exploit steht zur öffentlichen Verfügung. Der Patch wird als 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944 bezeichnet. Als bestmögliche Massnahme wird Patching empfohlen.
Provider
VulDB
CWE / problem types
Heap-based Buffer Overflow,Memory Corruption
Affected Software Versions
GNU:Binutils:[{'version': '2.45', 'status': 'affected'}]
Date Published
2025-07-13T21:44:08.027Z
Last Updated
2025-07-15T19:53:03.699Z