CVE-2025-66864 Overview
CVE-2025-66864 is a denial of service vulnerability in GNU Binutils 2.26. The flaw resides in the d_print_comp_inner function within cp-demangle.c, a C++ symbol demangler used by tools such as c++filt, nm, addr2line, and objdump. Attackers can trigger the issue by supplying a crafted Portable Executable (PE) file that contains malformed mangled symbols. Processing the file causes the demangler to crash, resulting in an availability impact. The vulnerability is classified under [CWE-20] Improper Input Validation and affects build pipelines, reverse engineering workflows, and automated binary analysis services that ingest untrusted PE inputs.
Critical Impact
Remote attackers can crash Binutils tooling by submitting a malicious PE file, disrupting binary analysis pipelines and any service that demangles untrusted C++ symbols.
Affected Products
- GNU Binutils 2.26
- Tools linking libiberty demangling code (e.g., c++filt, nm, objdump, addr2line)
- Downstream distributions and toolchains bundling the affected cp-demangle.c
Discovery Timeline
- 2025-12-29 - CVE-2025-66864 published to the National Vulnerability Database (NVD)
- 2026-01-14 - Last updated in NVD database
Technical Details for CVE-2025-66864
Vulnerability Analysis
The defect lies in d_print_comp_inner, a recursive routine that walks the abstract syntax tree produced when demangling Itanium-style C++ symbols. A crafted PE file embeds mangled symbol strings that drive the demangler into a state the function does not validate, terminating the process with a crash. Because the demangler is invoked automatically by common Binutils utilities when listing symbols, a single malicious binary is sufficient to take down the consuming tool.
The issue is reachable from network-delivered files. Build farms, malware analysis sandboxes, package indexers, and continuous integration systems that run nm or objdump against attacker-supplied binaries are exposed. The impact is limited to availability; confidentiality and integrity are not affected.
Root Cause
The root cause is improper input validation [CWE-20] during recursive traversal of demangled component trees. d_print_comp_inner does not adequately guard against malformed or unexpected component types produced from attacker-controlled symbol strings, leading to a fatal condition during printing. Technical reproduction details are documented in the CRGF vulnerability report.
Attack Vector
Exploitation requires no authentication or user interaction beyond convincing a target to process the malicious PE file. An attacker uploads or distributes the file, and any Binutils-based tool that demangles its symbols crashes. See the CRGF crash report for reproduction steps using c++filt against the crafted input.
Detection Methods for CVE-2025-66864
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals from c++filt, nm, objdump, or addr2line processes
- Core dumps generated when Binutils tools parse PE files received from untrusted sources
- CI/CD or malware-analysis job failures correlated with newly ingested PE samples
Detection Strategies
- Audit installed binutils package versions and flag hosts running 2.26 or earlier unpatched builds
- Monitor process termination telemetry for repeated abnormal exits of demangling binaries
- Inspect PE samples processed by build and analysis systems for malformed mangled symbol strings before invoking Binutils tools
Monitoring Recommendations
- Enable core dump collection on analysis hosts and alert on dumps originating from Binutils utilities
- Track invocations of c++filt and objdump against untrusted inputs in EDR or audit logs
- Centralize CI worker crash logs and correlate failures with sample hashes to identify malicious submissions
How to Mitigate CVE-2025-66864
Immediate Actions Required
- Upgrade GNU Binutils to a version later than 2.26 that includes hardened cp-demangle.c logic
- Restrict use of Binutils tools to trusted binaries on production build infrastructure
- Sandbox demangling operations performed against attacker-supplied PE files using containers or seccomp profiles
Patch Information
No specific vendor advisory URL is included in the NVD record. Administrators should track the GNU Binutils release notes and their Linux distribution's security advisories for fixes referencing d_print_comp_inner and cp-demangle.c. Rebuild dependent tooling and libiberty consumers after applying the upstream patch.
Workarounds
- Pre-filter or reject PE files with malformed or oversized mangled symbol tables before invoking Binutils
- Run demangling utilities under resource-limited, isolated processes that can recover from crashes without impacting the pipeline
- Disable automatic symbol demangling in analysis workflows where it is not strictly required
# Configuration example: run c++filt in an isolated, resource-limited sandbox
systemd-run --scope --uid=nobody --gid=nogroup \
-p MemoryMax=256M -p CPUQuota=25% -p NoNewPrivileges=yes \
c++filt < /input/symbols.txt > /output/demangled.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
